IPv6 changes this a bit, so one might want to do a limit per subnet, say 30 per /64.
Works great until your users use an ISP that hands out /128 rather than /64
Seriously? Who even hands out one single /64 or smaller? it's not like handing out /48s instead is going to deplete the IPv6 pool space .
Budget VPS/dedicated server providers, such as OVH: https://www.kimsufi.com/en/servers.xml
(And yeah, this is a classic failure mode of TCP...)
Edit: With Slowloris it looks like the connection isn't closed client side though?
Although I'm just wondering they're dropping the FINs anyway.