I developed a scheme to rate limit hidden services using proof-of-work;

https://gist.github.com/evandentremont/a3ad12a5cc3a924dae34

The server sends a semi-prime to the client, which then factors it. The client submits the factored primes back with the next request. The 'rate' can be throttled by sending a larger or smaller semiprime. The client has to spend time factoring that number, and the request can simply be dropped if the factored primes aren't correct. It would be effective to hinder brute force attacks on a login screen at the very least.

Running as a script on the page isn't ideal as a lot of people disable javascript. There's always the option for a fallback where you calculate the primes yourself and submit them, but I feel like it would be better implemented as part of tor itself.

Just throwing this out there for thoughts / feedback / opinions on rate-limiting hidden services.