[EDIT : this is slightly wrong, an updated version is here]
Here is something you can do with the 1.5 line in order to prevent a single IP from hogging all your resources. It works by creating two back ends for each back end you previously used. The first back end will be reserved for standard users, and the second for abusers. You should allow a lot less concurrent connexions on this second back end. The configuration would look like this, for a limit of 2 concurrent connexion before being flagged as abuser :
frontend a bind ... stick-table type ip size 200k expire 2m store conn_cur acl source_is_abuser sc1_conn_cur gt 2 tcp-request connection track-sc1 src if ! source_is_abuser use_backend slow if source_is_abuser default_backend fast backend slow server a ... maxconn 1 check server b ... maxconn 1 check backend fast server a ... maxconn 10 check server b ... maxconn 10 check
great news! dou you know if keep-alive connections, thus those with currently no backend connection, are counted too?
I would say they are, but I am far from being an expert here. But as this stick table is at the ip level, it should have no clue about HTTP sessions, and just count every connexions.