Rate limiting real-time connections: preventing WebSocket abuse

we've started seeing some abuse patterns on our websocket endpoints, with clients opening hundreds of connections or sending thousands of messages per minute, sometimes with very large payloads. this is impacting our server stability and costs. we need to implement robust rate limiting for real-time connections. i'm thinking about limiting connections per ip/user, messages per second per connection, total payload size, and perhaps even bandwidth per user. what are the best practices for implementing rate limiting specifically for websocket traffic? are there good off-the-shelf solutions or common architectural patterns that work well for this, beyond just simple ip-based throttling?