How is that rate limiting working actually (no, I didn’t search answer). Will it kick in after amount of requests in some timeframe per IP?
Anyway, when there is ddos’ish situation in the meaning of for example if URL is mentioned in some stupid list then starts flood from IPs from China, Pakinstan, Iran, Irak, Vietnam and Russia plus a lot from big VPS-services, mainly from USA, France and Germany. When they try 3 times and changes IP rate limiting doesn’t help too much.
I got at some point a lot stupid searches. And a lot means 5USD droplet by DigitalOcean crashed and I had almost zero requests from humans.
This is more or less matter of webserver, not Discourse. Those knockers should kill before an app. I know that my situation/solutions are much easier than OP’s or most of webmasters here because I’m from Finland and my forum is pure finnish — so banning world wide is possible for me (well, outside of Finland living finns see that differently 
)
But regardless rate limiting at least false user agents should stop right away.
How’s SSH-knockers? Those eat resources too.