How effective would per-IP rate limiting be for these new types of JS attacks though? As I understand it, it's just the sheer number of requests that they can get sent to the server with these types of attacks rather than say a botnet spamming requests over and over from the couple hundred PC's they have under their control or a HTTP POST attack where they trickle in the body of the request to hang up the server.