That is, if you have a rate of 10 rps set for 0.0.0.0/0, then would all IP addresses be assessed separately? Or is it a sum of all activity across all different IPs, so if the total is over 10, then the next request from any IP is blocked?
It is applied per IP. So for this example, that's 10 rps per IP. So if a single IP issues more than 10 rps then it gets blocked momentarily. How long is it blocked? This translates to 1 request per 1000 milliseconds. So at any point, if an IP issues more than 1 request per 1000 milliseconds, it gets blocked for just that 1000-millisecond window. As long as the criteria of 1 req per 1000 milliseconds is fulfilled, the client can continue to access without issues.