https://www.rfc-editor.org/rfc/rfc7233#section-6.1 :
6.1. Denial-of-Service Attacks Using Range ... Servers ought to ignore, coalesce, or reject egregious range requests, such as requests for more than two overlapping ranges or for many small ranges in a single set, particularly when the ranges are requested out of order for no apparent reason. Multipart range requests are not designed to support random access. ...
Are there any definitions of "many small ranges in a single set"?
In general, a sensible limit will depend on how expensive it is to serve ranges, and how likely clients are to benefit from ranged requests.
An initial mitigation guide from SpiderLabs suggests a limit of five ranges for practical traffic in the wild.
The implementation in Apache httpd allows as many as 200 ranges, but only 20 may overlap, or appear out of order. This addresses the main pathologies of the circulated exploit, which used around six hundred overlapping ranges.
It surely depends a lot on your service what your consider "out of range" and what not. What would be serious for a PC running as a service is surely not comparable with a large corporation network.
You basically need to set conditions for your specific service for what the normal usage is and what not, and reject anything out of that range.
Like anywhere in software you need to place "guards" against all sorts of invalid data or behaviour.
