[ludjer]

What's the alternative if most of tor traffic is password attempts and bad actors how do you protect yourself from tors bad actors without effecting all of tors users. I work at a company that runs a large website top 1000 websites in the world, and we don't even have to block tor exit nodes since they trigger our bot and snap blocking rules on our firewall, how do we let valid for users through without letting all the malicious actors?

[pzmarzly]

My take on this: if there is some DDoS taking place from same IP I am connecting from, that sucks for me but I'm willing to tolerate it (good old fail2ban). But having such a firewall all the time, even when you are getting less than 1 request per second from ToR? That's an overkill

[lolinder]

If I occasionally get a DDoS from Tor, I'll probably just block Tor all the time, even if my current traffic loads from Tor are low. It's simply not worth the hassle of waiting until my servers start getting spammed, it's better to just keep the door shut all the time.

[ipaddr]

How would you deal with an attack though residential US proxies? Your method falls apart.

How many of us deal with automated password attacks is to issue questions that only locals or people with specific knowledge could answer. Change the questions and do everything custom.

[lolinder]

It sounds like they have behavior-oriented rules that are just always triggered on Tor because Tor traffic has a disproportionate amount of bot traffic. I see no reason why behavioral blocking breaks down when an attack comes from an IP space that is usually more benign.

> How many of us deal with automated password attacks is to issue questions that only locals or people with specific knowledge could answer. Change the questions and do everything custom.

If I'm understanding what you're saying, this sounds horrible. What if I'm visiting an area where I don't have local knowledge? What about for the year or so after I move in to a new city? What if your assessment of what locals do and don't know is just wrong? There are a ridiculous number of failure modes in this questions-oriented approach. The only place this could possibly make sense is in some sort of internal company software, but even that context has better options available.

[ipaddr]

It is used commonly with facebook groups. Having to answer a question related to the group topic filters out spammers. I do it for country specific country sites requiring knowledge. The information can be googled if desire is high.

[lolinder]

Facebook groups I can see, especially because they're often surrounding specific niche topics that you can reasonably expect people to have some shared knowledge of, and the administrator of a Facebook group doesn't have that many levers to pull to reduce spam.

At the country level (and for applications where you have enough control over your infrastructure to use a real firewall) I question both the efficacy and accessibility of a system like you propose—it's not that different from the old style "what is 2+2" CAPTCHAs, and there's a good reason why most applications have moved on from those. They're not a serious alternative to behavioral rules like what OP describes.