Rate limiting real-time connections: preventing WebSocket abuse

we're seeing some attempts at abuse on our websocket-based real-time services, mostly in the form of clients opening hundreds of connections from a single ip or sending thousands of messages per minute. it's not a ddos attack, more like poorly behaved (or intentionally malicious) clients trying to scrape data or overwhelm the service. implementing rate limiting for traditional rest apis is pretty well-understood with tools like nginx, but for websockets, it feels a bit different. we're looking at limiting connections per ip, messages per second per connection, total payload size per minute, and even bandwidth consumed. this needs to happen at the edge, ideally, before it hits our backend services. what are the best practices for rate limiting websocket connections and message throughput? are there specific proxies or services that do a good job of this? are you implementing this logic in your application layer, or pushing it further up to something like a custom api gateway? keen to hear how others are protecting their real-time infrastructure from abuse.