"IBM said its data shows a “steady increase” over the past few years in attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic."
What part of "exit node" does IBM not understand?
Once the traffic hits an exit node, it's no longer in Tor. It's also more or less impossible to "disguise botnet traffic" using Tor, since it's not like the botnet is running an entry or exit node.
At worst, a bot on one of your servers will hit a Tor entry node in order to disguise that the traffic is coming from *your* server, as opposed to somewhere else. Frankly, if you have a bot on one of your servers doing this (which makes really no sense, since there's really no economic value in protecting individual bots from discovery of their identity), the problem isn't Tor, it's that you've allowed your server to become a bot in the first place.
Why IBM is involved in this anti-Tor scare tactic is anyones guess... but if you wonder about something like that, you should probably follow the money, since blocking the Tor protocol only buys you the ability to prevent entry or exit nodes on your network, and seriously, no one is going to trust an unvalidated entry/exit node enough that they'd be willing to peer with the thing in the first place.