This is not a complete, imperfect, optimal, uncontroversial or always-trivial-to-implement list, but some common ways to increase attacker costs are to:

0. Put a CAPTCHA on expensive/abused functionality.

1. Rate-limit costly transactions to 1 per hour/day/etc (whatever's appropriate) per IPv4 address.

2. Limit total amount of data added to the db per time period per IPv4 address.

3. Iff you get a lot of abuse from VPS/cloud providers, block or even-more-severely-limit their published IPv4 ranges. Generally speaking a normal user will not write to a pubkey db from a cloud IP.

4. Iff you get a lot of IPv6 abuse, either go IPv4-only (no doubt this will make some people super-mad.. but when it's the only way to keep the service operational..). Sometimes treating every /64 as roughly equal to one IPv4 address is a sufficient defense.

5. If you don't like using IPv4 as the scarce good, then use some other primitive such as SMS verification of a phone number (that may be unacceptable for sks due to obvious privacy and highjacking concerns.. but it's basically what Signal does..)

6. Users (and environmentalists) will hate it, but if all else fails, require proof-of-work/hashcash. Periodically expire keys that didn't submit a $1-10 POW ticket each year, etc. Or an equivalent minable cryptocurrency payment.

They certainly are vulnerable. The solutions for social networks are in client/behaviour analysis: Are you trying to create 10th account from the same IP? Are you creating multiple accounts with the same browser fingerprint? Have you got any personal details attached? (That's one reason they started pushing phone verification) Is the action automated? (CAPTCHA) Is your friend graph a clique of fresh accounts?

A lot of these can't be applied to SKS unfortunately.

You should create multiple account with different browser fingerprint for each account. I usually use Kameleo software to load different profiles with manipulated browser fingerprint https://support.kameleo.io/article/what-is-browser-fingerpri...