Unless you already ruled out that hypothesis by looking at the attack distribution by source IP:
If dir auths (some or all) are willing to share (privately or publicly) the distribution of attack load (frequency, bandwidth, ...) by exit source IP in total or relative values I can correlate this data to strengthen a hypothesis that malicious/suspicious exits are involved to a greater extend than well-known long term exits. That could mean that they are not (exclusively) attacking via but _from_ servers that also happen to run tor exits.
From another angle this is an interesting precedence
because the tor project uses it's access to protect dir auths from exit relays. Why is that interesting? Because no one else that gets attacked via exit relays has that "luxury" to "filter" it at the "source" (exits).