Limit the number of open testing circuits, and the total number of testing circuits
Tor relays can open many more testing circuits than they need:
When Tor is doing its first ORPort reachability test, it initiates one testing circuit after the first successful circuit, then one testing circuit per second until the ORPort is found reachable. Then it gives up after 20 minutes. (1200 circuits is definitely too many.)
When tor receives any descriptor or consensus, it does another ORPort reachability test, and initiates a testing circuit.
When a testing circuit opens, and there aren't enough testing circuits to test bandwidth, then tor initiates another testing circuit.
When a testing circuit expires, tor doesn't stop opening testing circuits to replace it.
We should place a timeout on bandwidth testing (the same as reachability tests?), a limit on the number of in-progress and open testing circuits (NUM_PARALLEL_TESTING_CIRCS3/2 ?), and a limit on the total number of testing circuits that tor will build over a certain time (NUM_PARALLEL_TESTING_CIRCS3 an hour?).
We should also reduce the frequency of the initial ORPort testing circuit callback, so those circuits are spread out over the 20 minute ORPort testing interval.
We should be careful to make these limits apply to relays, but not authorities. Authorities need to test a large number of relays every hour.
Edit: suggest some limits