Background
Image tokens were introduced in Drupal 7.20 to mitigate SA-CORE-2013-002. The goal was to change all on-demand image derivative URLs generated by Drupal to append a token as a query string, and therefore prevent this capability to be abused by requesting a large number of new derivatives which can fill up the server disk space and cause a very high CPU load.
Current behavior
Drupal returns a 403 (Access Denied) upon trying to access an image derivative with an invalid token, whether or not the source image is available. In the case of an attack or upon stripping query parameters from image requests, the huge amount of 403s hitting the web server may lead to the site becoming unavailable or unresponsive.
New behavior
Drupal now returns a 404 (Page Not Found) upon trying to access an image derivative with an invalid token, whether or not the source image is available. Web hosts enforcing 404s to be cached for a certain period of time at the caching reverse proxy can much more easily mitigate DoS or DDoS attacks.