Hey Malte,
During a ddos attack, you are sending $possible_bad-ip to a different
server that just sits there and does nothing but Captcha. The cost for
showing a captcha to a host is far less than the impact it would have on
your network/servers.
also on the captcha you can implement cookie checks and if the host does
not become valid say after seeing the page $n_times then you can add the
ip to an acl block list. Layer3-4 blocking cost is much less than
layer7, same goes for if you are taking the threat away from your
production internet facing servers and forcing the possible bad hosts go
through a captcha system.
the last time i setup a network to handle 400mbps and 140k connection
(not packets) a second attack it was with the suggestions and topology
ive described, its worked without issues for me but perhaps you are
seeing something that i have not.
Regards,
-Payam