[philpem]

While I agree with you -- I'd also like to point out that >90% of malicious traffic to the websites I administer comes through the Tor network.

It shouldn't be the case, and I don't want to block people who have a legitimate reason to use Tor. Unfortunately there isn't a "block Tor traffic from assholes" option, so all I can really do to reduce the malicious traffic is block exit nodes.

[yc12340]

This has nothing to do with Tor. Cloudflare frequently blacklists entire countries/counties worth of people (and rarely reverts those blacklists). There is a good chance, that you have missed a lot Indian/Vietnamese/Russian/Chinese visitors, because Cloudflare concluded, that forwarding their traffic to your site isn't financially viable for them.

> Unfortunately there isn't a "block Tor traffic from assholes" option

What exactly is "Tor traffic from assholes"? Bulk DDoS attacks? E-mail spam? SSH login attempts? Please share your valuable experience with everyone here, so that all of us could stay safe by learning from your example.

[tragicpapercut]

And for companies that don't do business with those countries - this is not a loss.

Most "asshole" traffic I see falls into one of two categories - attempts to exploit vulnerabilities (../../../etc/passwd stuff) and account takeover attacks.

The first I can forgive, I don't frankly care where that traffic comes from and the responsibility is entirely mine as website admin to prevent these types of attacks through good coding practices, WAF, etc.

The second I have less control over because customers / the general public sucks at security. They re-use passwords they've had for 10 years and won't opt-in to 2fa. And as a merchant, my company generally eats the cost of fraud that these attacks generally result in.

If no or little legitimate traffic is coming from Tor, and a significant percentage of malicious traffic is coming from Tor - at great cost to me / my company - why the hell would I allow it to continue?

[rum3]

One simple solution I can think of is to restrict POST requests from Tor exit nodes while still allowing GET requests. Cloudflare will give you a impossible-to-solve captcha even if you just try to visit site.com/index.html and I see no reason for this.

[clubm8]

Is the issue Tor traffic, or that you know what traffic is Tor?

There are many types of "abuse" (not just trolling) - mass downloading/scanning. (Ex: several types of port scanning can't be done via Tor since it doesn't support UDP)