I already have per-IP ratelimiting, and I'm against using captchas have bad UX (including the much-hailed Turnstile).
I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part (for a free website FWIW), and the quickest way to mitigate it would be to block Tor.
IP blocking blocks most of the people on our local ISP. They are small, and use CGNAT, so one owned windows machine across town breaks sites like yours for everyone, and the root cause is extremely difficult to debug for end users.
As much as I deeply, deeply dislike captchas, ip blocking is far worse.
IP blocks also just don't work on IPv6. Unless you're prepared to block entire by ASN, an adversary can cheaply just buy up a lot of address space and churn through them. It gets even messier when dealing with real ISP networks because some hand out /40s for residential customers whereas others give just a /56.
>I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part
I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part (for a free website FWIW), and the quickest way to mitigate it would be to block Tor.