I know this may screw up some considerations you may have such as not to duplicate actual code from the core, but I think it would be beneficial to check whether the IP is banned before checking everything else in Protector.

I say this because as it is now, when a DOS attack does come in, the precheck code in Protector performs several queries, 1 query to get Get Protector preferences and 4-5 queries in check_dos_attack_prepare()

Not only does that mean that on each page load, even a banned IP will still perform 5-6 queries, it will also be REGISTERED every time, resulting in those 30+ pages of logs with many recurring IPs that has become common on xoops.org

This is not an entirely simple task, because it means that you will have to retrieve a system preference (or two, actually - 'enable_badips' and 'bad_ips') before the XOOPS core API has been included... but perhaps you could have a Protector-specific list of banned IPs and a on/off setting (or just the list) so it is fetched in your call to get Protector preferences in the first place... just an idea.

Keep up the good work