[terom]

Looking at the icanhazip.com site, I wonder how much any kind of rate-limiting per address/block would even help.

At the HTTP level it's probably cheaper to just return the HTTP 200 response. I suppose if you're doing TLS handshakes then a packet-level rate-limit would help significantly, but at the same time I'd be wary of triggering any kind of retry-behavior.

Worst-case scenario for a service like this would be having an error response/timeout trigger some kind of unlimited retry flood.

[jeroenhd]

The block route I'd go with is blackholing the entire range into nothing through BGP or similar so the servers wouldn't have to deal with the traffic, similar to how anti DDOS tools often work. Might even redirect the DNS for that subnet to the IP of the people running the network, let them deal with the abuse. That'd be a very offensive approach, though.

I probably wouldn't bother with TLS either, just a plain HTTP 0.1 response with minimum information should be enough.