Consider rate-limiting INTRODUCE2 cells when under load

In legacy/trac#15463 (moved), we're seeing an effective denial of service against a HS with a flood of introductions. The service falls apart trying to build rendezvous circuits, resulting in 100% CPU usage, many failed circuits, and impact on the guard.

We should consider dropping INTRODUCE2 cells when the HS is under too much load to build rendezvous circuits successfully. It's much better if the HS response in this situation is predictable, instead of hammering at the guard until something falls down.

One option is to add a HSMaxConnectionRate(?) option defining the number of INTRODUCE2 we would accept per 10(?) minutes, maybe with some bursting behavior. It's unclear what a useful default value would be.

We could try to use a heuristic based on when rend circuits start failing, but it's not obvious to me how that would work.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information