We need to create a backend per-IP limit on varnish for WDQS, that would allow only set number of requests per IP (say, 10) to be sent to the backend in parallel and the rest of the requests should be queued by varnish and expired if the are queued for too long, or just rejected outright if that's easier. This will ensure no client would hog all available backend time.
Since we have Trusted XFF support, we probably need to use that too when resolving IPs.