I personally add anything that hits me with more than 1000 reqs/sec to a 24hr blocklist at my network edge (prevents things like the fortinet bursters sending problematic levels of traffic as far as my server, although I do still save the blocked requests for later analysis). They get a 3000 request burst before the policy is applied. Anything slower than that, I don’t worry about.
If reflection abuse becomes a significant problem, then I will revise that limit downwards.
My main rationale behind allowing that much traffic is to address the scenario where e.g. a few thousand shitty IoT clients try to synchronise from behind NAT all at the same time, or if there are few buggy devices that try to sync time in a fast loop. I doubt it happens often, but I’d still like to have my server available to service those requests, and to service the requests of other devices sharing a public IP with something buggy.