Rate limiting real-time connections: preventing WebSocket abuse

we've started seeing some abuse on our websocket connections, with individual users (or bots) opening hundreds of connections or sending thousands of messages per minute, sometimes with huge payloads. it's clear we need proper rate limiting to prevent resource exhaustion and service degradation. what are the effective strategies for rate limiting websockets? we're thinking about limiting connections per user/ip, messages per second, total payload size per minute, and overall bandwidth. is there a good client-side and server-side handshake mechanism to enforce limits and notify clients when they're being throttled? what tools or libraries have people found effective for this, especially when dealing with a large number of concurrent connections?