What else do you propose? You have a service which is costing money to run, some idiot is abusing it to the detriment of your genuine users, and the only correlation you can see between connections is that they originate from Tor exit nodes (remember, the point of Tor is that you *can't* establish identity). Sure, you may be able to develop an application level defence against the attack, but that takes time and resources which may not be immediately available. Meanwhile, of course you block the originating network! It's just the same as if you're being flooded by abusive requests all from the same /24: you might not want to permanently block the whole subnet, but you certainly want to mitigate the immediate threat. Sysadmin 101: If you don't do something *now*, you'll regret it tomorrow.
they -should- indeed develop an application level defense to the problem. any defense that relies on layer 3 being accurate "identification" is just plain -wrong- (and probably designed by the same dusty nerds that still think smtp is a good idea to keep around ;)
if you want to but can't tell your users appart by some other means but the ip address they connect from, your protocol/service sucks and isn't suitable for use on the real internet and needs to go back to the drawing board.
its not just "tor" you know, back in the days you just took a dialup number in venezuela and all was fine :P (and you can still do that today ;)
as for "attacks" i'd distinguish between actual network attacks (where i don't give a crap if its spoofed or not, just DROP it :P
and lets say, people (or bots) using a service "on top" of the actual internet (lets say an online banking system).
NOW if your online banking system has such CRAPPY authentication that you need to fall back to ip based blocking them, your online banking system does not belong on the internet in the first place.
and the same goes for forum spam, "virusses" (basically crappy written software products (ie: windows) which refuse to fix the exploits ;) etc.
tor does one thing: it kinda like urges them to fix their crap :P (now if only there were more exit nodes ;)
i'd say, bring on some more protocols like tor and lets have a shakeout of the crap that should not be on the internet/market in the first place.
(smtp, windows and other highly vulnerable operating systems and software, crappy forum software, crappy online banks and creditcard systems which think a static username (or even email) and password is hell of a good idea, etc ;)
zomg, they use tor to commit fraud/spam/send virusses: no they don't. your own service is at fault there for not being designed with hostile networks like the internet in mind.
(and usually the ones spending all their time complaining about it could just fix it with 10 lines of code ;)
so yeah, let them all go to hell for all i care :P