Any firewall worth its salt (like PF) can measure which IPs are making more requests per minute than is reasonable and shove them into a list to be handled separately (whether by blocking them outright or by putting them in a slower / lower-priority queue). Putting all those thousands of IPs into a queue that only gets 1% of the available bandwidth would solve the issue quite nicely, I think.
