There are plenty of ways you can (and should) rate limit requests on your end. It is a pretty basic security and reliability practice.
Also if you're dealing with an actual malicious adversary real or automated rate limiting can be more effective than blocking. (logic to detect and overcome an even very significant rate limit is much more complex than to detect dropping, ignoring, or 4xx 5xx response blocking methods)
For example, a method to rate limit based on IP with nginx
Sure. I already use several rate limitation measures, return fake data for repeating offenders, and also outright block some others. It is still laughable that a somewhat "reputable" bot does not even know about basic HTTP headers.
Also if you're dealing with an actual malicious adversary real or automated rate limiting can be more effective than blocking. (logic to detect and overcome an even very significant rate limit is much more complex than to detect dropping, ignoring, or 4xx 5xx response blocking methods)
For example, a method to rate limit based on IP with nginx
http://nginx.org/en/docs/http/ngx_http_limit_req_module.html