IMO the only way to really survive a determined DDoS is to use a CDN like Cloudflare. They have many secret detection and protection techniques, far more than you could hope to build in Django.
Thank you for looking this up. This sounds like something we should legitimately fix, and maybe add a note in the release docs for updating each version. Would you like to open an issue?