Look at conf/login_athena.conf
Find this:
// DNS Blacklist Blocking
// If enabled, each incoming connection will be tested against the blacklists
// on the specified dnsbl_servers (comma-separated list)
use_dnsbl: yes
If it says "yes" then, change it to "no". If it already says "no", the DDoS warning is being triggered by something else. I've experienced it before, I'm still trying to recall.