anti-exit-DDoS: token bucket limit for new streams per circuit at exits

Currently a single circuit can apparently affect an entire exit relay by creating new outbound connections at a high rate. The CPU load will increase and traffic drops fast during such events.

Some operators run scripts that adjust their exit policy once they detect such outbound floods but blocking popular destinations by exit policy is not a solution for this problem, especially since they turned to cloudflare destinations.

Please implement a limit a token bucket quota system for new outbound connections at exits per circuit. The destination IP/port should not be relevant.

This needs a mitigation inside tor instead of custom packet filter scripts. Packet filters do now know whether a new outbound TCP connection at an exit is related to a specific tor circuit or not.

This has been brought up previously on the last relay operator meetup and currently is becoming an increasing issue at exits: https://lists.torproject.org/pipermail/tor-relays/2022-November/020885.html search for 'cpu' on that text

also related to: #40676 (closed)