Connection DDoS defenses never applied to DirPort so dir auths still impacted

Back in the connection DDoS problems a year or two back, I hacked up a defense which counted total connections from a given IP address to either my ORPort or my DirPort, and refused future connections for a while if the connection attempt count trips some token-bucket-style threshold.

That threshold has tripped a lot lately and I have been saving myself a lot of connections on moria1 (along with the accompanying bandwidth, memory bloat, upstream problems with connection tables, etc). Here is the latest stat line after 43 days:

Jun 06 19:29:31.165 [notice] DoS mitigation since startup: 0 circuits killed with too many cells. 0 circuits rejected, 0 marked addresses. 749704 connections closed because concurrent, 28222170 connections closed because total. 0 single hop clients refused. 0 INTRODUCE2 rejected.

(Yes, I have been turning away 7 to 8 connections per second, continuously, averaged over the last 43 days. Some addresses are super loud and have no notion of back-off.)

Alas, when I looked earlier, the patch that went into actual Tor only considered ORPort connections, and so it doesn't help me because a lot of my overload is on the DirPort.

Double-alas, my patch and the patch that went in are full of conflicts.

So: I have been meaning to reverse engineer the patch that went in to 0.4.6.1-alpha (#40253 (closed)), and my patch (in my moria1-0460 branch), and figure out what is actually missing, and make a new patch that applies cleanly to a more recent Tor.

That step doesn't fit in my q1-q2 task set though, so I have been meaning to get to it in q3-q4.

But the network is now all using consensus method 32 (for the MiddleOnly flag), so I need to do something sooner.