What is preventing Bridge Enumeration?

What is preventing an attacker to start up a few mid-nodes and enumerating all IPs and substracting those from the list of publicly known entry-nodes to get a list of (all) unlisted bridges?

Seems a lot cheaper than dpi and except for a few false positives due to bots pinging it should be quite accurate

Is this an inherent and known flaw to the bridge infrastructure that we have to live with or am i missing some keypoint?

Trac:
Username: doelove1

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information