Anti-Automated-Scanning: Support "marking" with iptables TCP connections differently "for each circuits"
This ticket is to support "marking" with iptables TCP connections differently "for each circuits".
The basic idea is that a Tor Exit operator, in order to reduce automated scanning, may wish to apply specific rate limiters available from the iptables stack of his linux machine.
The usual Tor connection pattern of an automated scan, from a Tor Exit relay point of view, is that from a single circuit there are a lot of TCP connections going out to the same host within a relatively short amount of time.
The usual HTTP(S) connection pattern of normal Browser, from a Tor Exit relay point of view, is to open a bunch of connection to the same IP and keep those open with keep-alive.
So, if Tor software would made available to Iptables stack the "individual marking" of all TCP connections coming out of a specfic circuit, it would be possible for the Tor Exit operator to apply rate limiting finely tuned in a way not to break normal end-user browsing but to break automated scanner efficiency.
Obviously, that works against automated scanners that does not apply a specific technique to bypass this specific prevention technique, that shall be considered most of the automated scanners.