After opening the emoji selector in the post editor, discourse throws users out once they load a page again (like after submitting a post).
429 Too Many Requests
Your IP address has made too many requests to this service over a short amount of time. Please wait a few minutes and try again.
If you are behind a proxy or coming from a large company, you and many other users may appear to be the same person. Please let us know of recurring problems by email: team@discourse.org
It seems it was not the user trying to DDOS discourse, but discourse itself. If there is a way, maybe distinct requests to resources (like emojis) should not be considered? Or all emojis should be combined into a sprite?