Many bots open new TCP connection for every request, which is incredibly wasteful but leads to easy filtering via ipt_hashlimit firewall rules. Browsers and other well behaved clients work fine with limit as low as 3 connections per minute per IP. It avoids the SSL handshake overhead too. YMMV of course, but worth trying out.