I didn’t have time to find the network diagrams on GitHub but I believe the following is a thread (a bit dated) that describes the indirection resulting from by having different vault personas (ex.data holders vs. data managers) that eliminates the threat described in the original version of the OP with regard to farming.
As far as general out of band ddos protection against malevolent nodes in your routing table goes, I think that is a valid concern and becomes part of malice detection. However, it seems to me that a few simple and naive iptables scripts would offer a lot of protection against this in the case of out of band communications from a botnet. For example, some “SafeWall” settings might include dropping all packets ip addresses not in your routing table (or those whitelisted by you, like a network printer).
Protection from adversaries in your routing table that spoof the IP address of good nodes in your routing table is something interesting to consider… But dirvine’s comment about the difficulty of spoofing seems like this would be a challenging exploit.