Create a guide to help web site owners mitigate abuse from Tor without blocking non-abusive Tor users
Specifically we need something that a blocked Tor user can point a site/service owner to. Today the most discoverable version of this on the main site is https://support.torproject.org/#censorship-2, which essentially boils down to just asking the owner to not block Tor out of altruism, without offering any technical detail or support.
Ideally such a page would help the owner determine how they're blocking Tor users in the first place (CDN configuration? Firewall? Website plugin?), and help them understand what their alternatives are.
As a first pass, such alternatives might include:
-
If the traffic isn't known to actually be causing harm, just don't block it. This may be the right solution if the exit node(s) were being blocked based on volume of traffic rather than any actual problem that traffic was causing. If there's a per-IP-address rate limit, consider raising it for known exit nodes.
-
Slowing down abusive Tor users by blocking Tor circuits, e.g. using CloudFlare's onion integration or https://github.com/alecmuffett/eotk.
-
PrivacyPass or other proof-of-work per browser rather than per IP address.
-
Application-level mitigations.