I am running a latest 0.2.5.3-alpha Tor build. This time I am observing multiple connections within one minute established on a data port from the same address (not sure if client or relay). The latest flood of connections comes from One World Labs who claim to be a computer security company that also searches for leaked/stolen company information in the "dark Internet" or something along those lines.
It seems to me that, since the circuits are connected randomly, the likelihood of the same relay having multiple connections to my single relay within such a short period of time is low. I think someone already pointed out earlier that some clients used to start a number of circuits before they needed them. I guess if such "broken" client chooses my relay as an entry point, I can imagine they might start many circuits fast. But then 0.2.5.3 release notes claimed improvements in DOS protection.
From a practical point, is there a rule at what point I should consider
rapid multiple connections from the same address to my relay's directory/data port a DOS attack and take some measures?