voila - all new connections which are more than 5 per hour from the same
IP are dropped, i have similar rules for specific ports and max
connections per client for many years now - no rocket science

Yes.  But measuring those numbers is the difficult part.  A fresh install of ClamAV is going to download the main, the daily, then all the diffs since the last daily, which could be a ton.  It's the people that are downloading the *same* diff 1000x an hour that are the problem.

