zero, the 5 from the CVE seemed too restrictive, given the legitimate uses of the Range header. It ends up we could withstand quite a few simultaneous attacks at 40, so it seemed like a good balance between blocking bad traffic and allowing good traffic.
The CVE also says:
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
Between testing and the CVE, we're comfortable with 40. ymmv.