If an attacker has your command passwords, they can do whatever you can do. This is not good. So ostiary supports (indeed, requires) a special 'kill' password be chosen. If ostiaryd receives this special command, it will immediately shut down. (It's probably not a good idea to set up ostiaryd to respawn... but if you do, you could create a more thorough 'kill' command with a script, e.g. one that moves the ostiaryd executable (or just removes the exec permission bits), then kills the process.)
Even if we refuse data from known bad addresses, we still have to accept connections long enough to at least determine if the originating address is bad or not. If we just accept connections as fast as possible, an attacker could drive up the CPU load on the system just by connecting as fast as possible.
To deal with this, we have a maximum rate that we accept connections at. This is implemented by sleeping a user-specified time (default five seconds) between connections. This should keep the CPU load from ostiaryd itself small, no matter how fast the attacker is trying to connect.