Yeah the rate-limit approach makes sense! I've been using Nginx's req-limit (http://nginx.org/en/docs/http/ngx_http_limit_req_module.html) and fail2ban to do so. Importantly it accounts for the "burstiness" of a lot of HTTP traffic and allows you to set thresholds yourself. Can recommend! So you built it in as part of the forum software @cblgh?

The ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. The limitation is done using the “leaky bucket” method.