Relays shouldn't be blind to who is connecting to them. I've mentioned multiple times to other relay developers and nobody seems to listen... but you can ban IP addresses.  Even if you are getting a DDoS those are from a subset of IP addresses that will have to repeat at some point and then you know which ones to ban.

Banning doesn't have to be only by pubkey.

Will this hurt VPN users... yes.  But VPNers accepted this as part of the cost of privacy.

I don't know of a perfect solution.