Reasonable rate limit for the API

Because we keep getting odd behaviors from users, multiple issues have been created already, but we never actually did anything about this, so: we should set some reasonable API usage and set some form of rate limitation to avoid being abused through the API.

I don't really know what would be reasonable, but checking https://gitlab.com/gitlab-com/infrastructure/issues/1449#note_26186643 I can't help to think that accessing us with multiple threads from the same IP should hit a limitation that would at least slow the client down (not plain old reject)

cc/ @briann what rate would make sense to have as a defense mechanism?