Perhaps what we really need is a configuration that recognizes the two security requirements: 1) Defend ietf.org from DDoS attack 2) Provide access to Tor users. The first requirement is at least as important as the first. Sln1: If it is possible, perhaps the Cloudflare config could be set up so that connections over Tor go to one particular server that is run by IETF direct and not in the critical path. Broken: You would have to have the site in the IETF server room and where there is a site, there is a pipe and it is really the pipe that is DDoSed. Sln2: Can Cloudflare adjust their CAPTCHA scheme so that it only queries users if an attack is actually in progress. Question: Is this what they do already? Was the CAPTCHA showing up because of a dumb blacklist or was it showing up because the IP was on a blacklist AND that IP was currently performing a DDoS AND that DDoS was aimed at ietf.org? I suspect IETF use is atypical where Tor is concerned. Most sites probably just want to shut Tor exit nodes out.