The amount of concurrent requests from a given IP should be limited. This should work through Varnish as well (and not consider Varnish's IP from being the requesting IP).
The idea is that a given client hitting a lot of misses (whether through legitimate traffic or abuse) would get throttled automatically and not hammer Thumbor.