First, see this post for one method to obtain the ip address of your caller using a GenericHandler.
Using this method, you can essentially (by creating a class that extends GenericHandler) intercept any web-services calls to any web-service that we want intercepted (based on QName).
So, once we have an ip, we could call query a database, or run some other logic inside of our handler, and dermine how many calls per hour, minute, etc a given ip has made. If an ip has exceeded a given threshold, then simply don't call the "super.handleRequest(context)" function (this is in the override of the "public boolean handleRequest(MessageContext context)" in GenericHandler -- see the referenced post above. However, if the ip has not exceeded our threshold, then by calling super.handleRequest(..), our SEI is called, and the web-service call proceeds normally.
I'd appreciate hearing any other alternatives you might find for throttling a web-service...I'm looking for some best practices, too.