I don't mean to be marketting for them, but the CloudFlare Turnstile "captcha alternative" (Similar to Google ReCaptcha and others) has been working for me. it's the only thing that has of what I tried so far (rate-limiting IPs, fail2ban, etc -- their IPs are just too distributed).
It doesn't make the user do a puzzle, it's the kind that either works entirely automatically or in some cases asks the user to tick a checkbox. You have probably seen it proliferating across the internet in your personal use becuase, well, see above.
Rate limiting individual addresses seems like a possibly useful, if not perfect, idea since it forces the bots to spread out over more addresses. It does penalize humans behind NAT however.
I have indeed tries lots of things that seemed possibly useful! Rate limiting by IP (or by CIDR subnet of various sizes) was not enough for me. The bots spread out to more addreseses and still overwhelmed my resources.
It doesn't make the user do a puzzle, it's the kind that either works entirely automatically or in some cases asks the user to tick a checkbox. You have probably seen it proliferating across the internet in your personal use becuase, well, see above.