>One thing I will say though, is that proof-of-work alone isn't a solution for ddos mitigation and bot protection! I've seen attackers using a mass of proxies and headless browsers to solve the challenge

If you make the challenge sufficiently difficult enough, it should mitigate this no?

>or even writing code to extract and solve the challenge directly (https://github.com/lizthegrey/tor-fetcher).

Similarly if the challenge is difficult, wouldn't matter where it's solved.

I'm not sure why one would use Anubis over haproxy-protection.