[hombre_fatal]

That's a feature, though. 99.9% of the time, someone who checks those checkboxes are abusing your service, not some rogue journalist doing research under an oppressive regime like we like to believe (lol). You're better off thanking bad actors than people choosing Cloudflare to get some relief from holavpn/iot botnets which are dirt cheap and getting cheaper every day.

[tristador]

I think you'll find a number of people who have seen issues (myself included). Things like adding Cloudflare on top of an API, breaking clients when CF decides their IP needs verification. Besides, other than DDoS, how do you abuse a static site?

[acdha]

> I think you'll find a number of people who have seen issues (myself included).

Yes, that's the difference between 99.9% and 100%. Cloudflare cited traffic percentages which match what most experienced site operators have seen, with a much higher percentage of malicious activity using Tor than most other networks and no easy way to have per-user reputation (that was the impetus for developing the “Privacy Pass” feature).

Here's what they said at the time, which also has some answers for your question about non-DoS problems:

> On the other hand, anonymity is also something that provides value to online attackers. Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

https://blog.cloudflare.com/the-trouble-with-tor/

[tuxxy]

What does a static site abusing tor user look like?