It depends on your definition of hidden. Yes, all IP addresses are public. But then which of the 4 billion IP addresses is the correct one? I think, for this discussion, the IP can be considered hidden if there is no way to determine the IP address(es) for a server that is serving a specific Discourse forum (so the function f(h) is undetermined where function f gives you the true IP address for a host)
Given:
- that you are not Cloudflare
- the forum is not revealing its IP through outbound traffic like oneboxing or outbound email headers or any other way
But I agree with you that “hidden” is a confusing and incorrect term. “unknown” is probably better.
That depends on the type of DDoS. For an application-layer attack this might be true, buit also hard since it would need some kind of rate limiting with request inspection. But for a network-layer attack (simply traffic flooding by amplification or a syn attack) this might not hold. Besides, what you’re basically saying is “it’s not an issue if you can mitigate it” which is kind of obvious, but also hard and/or expensive.
It also depends on the type of attack. An application layer attack would need to be tailored to Discourse but could for instance run some heavy queries like searches to overwhelm the application servers, while a network layer attack can be more generic, take more traffic and can simply clog nginx or the VPS network.