The attacker can just be smarter and use various ASNs + out-proxies for their backend.

My background is small-world network in distributed systems and anti-censorship software like Hyphanet. If the goal is to evict/lessen the purview of the metadata harvesting nodes then some version of web-of-trust + proof of work could be implemented.

I got the most LIB text ever on E Day