Then in deploying those countermeasures, they should know they're creating (sometimes significant) friction in the experience those legitimate users, who have legitimate reasons for using those tools, have of their site.
Well-intentioned or not, the UX sucks, and I generally bail and don't come back if I experience a second Captcha in a session. Find a better solution, or accept that you're driving away eyeballs/revenue.
As mentioned, this is a numbers game. Usually when this is deployed the cost of fighting the attackers exceeds any income the legitimate users via VPN or Tor respectively could provide.
> Find a better solution, or accept that you're driving away eyeballs/revenue.
Let's approach this from another angle for a moment - a hypothetical provider with no numbers/revenue; zero, zip.
Where should they start? Do they start by chasing every possible user out there and risk a wave of spam, etc? No, right now - the Cloudflare approach is looking rather attractive despite Cloudflare not needing to advertise these security features far and wide (unlike some VPN providers) because we're talking so much about it.
In the time that this debate will end, the buttons will be clicked, site(s) will be launched and working without problem for the majority of users it will be targeted at. For nearly everyone, this appears to be a much better solution than those that have plagued various online forums and services for years.
So who is going to find a "better" solution? Probably almost nobody. As the other commenter says, it's a numbers game. And that's just business.
Well-intentioned or not, the UX sucks, and I generally bail and don't come back if I experience a second Captcha in a session. Find a better solution, or accept that you're driving away eyeballs/revenue.