While I agree with you -- I'd also like to point out that >90% of malicious traffic to the websites I administer comes through the Tor network.
It shouldn't be the case, and I don't want to block people who have a legitimate reason to use Tor. Unfortunately there isn't a "block Tor traffic from assholes" option, so all I can really do to reduce the malicious traffic is block exit nodes.
This has nothing to do with Tor. Cloudflare frequently blacklists entire countries/counties worth of people (and rarely reverts those blacklists). There is a good chance, that you have missed a lot Indian/Vietnamese/Russian/Chinese visitors, because Cloudflare concluded, that forwarding their traffic to your site isn't financially viable for them.
> Unfortunately there isn't a "block Tor traffic from assholes" option
What exactly is "Tor traffic from assholes"? Bulk DDoS attacks? E-mail spam? SSH login attempts? Please share your valuable experience with everyone here, so that all of us could stay safe by learning from your example.
And for companies that don't do business with those countries - this is not a loss.
Most "asshole" traffic I see falls into one of two categories - attempts to exploit vulnerabilities (../../../etc/passwd stuff) and account takeover attacks.
The first I can forgive, I don't frankly care where that traffic comes from and the responsibility is entirely mine as website admin to prevent these types of attacks through good coding practices, WAF, etc.
The second I have less control over because customers / the general public sucks at security. They re-use passwords they've had for 10 years and won't opt-in to 2fa. And as a merchant, my company generally eats the cost of fraud that these attacks generally result in.
If no or little legitimate traffic is coming from Tor, and a significant percentage of malicious traffic is coming from Tor - at great cost to me / my company - why the hell would I allow it to continue?
One simple solution I can think of is to restrict POST requests from Tor exit nodes while still allowing GET requests. Cloudflare will give you a impossible-to-solve captcha even if you just try to visit site.com/index.html and I see no reason for this.
Is the issue Tor traffic, or that you know what traffic is Tor?
There are many types of "abuse" (not just trolling) - mass downloading/scanning. (Ex: several types of port scanning can't be done via Tor since it doesn't support UDP)
It shouldn't be the case, and I don't want to block people who have a legitimate reason to use Tor. Unfortunately there isn't a "block Tor traffic from assholes" option, so all I can really do to reduce the malicious traffic is block exit nodes.