Yeah, and rate-limiting is only one of the things a PaaS needs to handle, to avoid looking like a bad actor to the underlying platform. The trickiest thing to handle is people using your PaaS to host malware, because:

1. There may be no simple rule of thumb like "suddenly using tons of bandwidth"

2. Bad actors can open up so many accounts, you have to close them automatically

3. Malware can infect a good actor, who is unaware or struggling to deal with it