Handling brute force attacks in the kernel

I haven't followed closely, but https://lwn.net/Articles/808048/ seems a lot more promising to me because it allows lifting all these heuristics out of the kernel - a hybrid eBPF + userspace process can access more semantic information; say things like "did this process receive packets from an untrusted network recently". And it can be much more configurable, e.g. one could easily recode it to force a process like this to dump core for offline analysis instead, etc.