How can I protect our API service?

We have REST API which are using by our mobile app.

Recently we had been attacked by someone from different IP on our login action. It was a big number of different IP but they were repeated sometimes – so we cannot block all of them manually. It looks that someone stooled somewhere database with user logins and passwords. After that they tried to logging to our API with that credentials. So, we had a lot of unsuccessful attempt to login from different IP. As the result there were big load on our back-end, moreover – they broke some client personal accounts.
So, the question is – do you have some protection for such kind of attack for API? If yes, where we can read about it?
As we see the situation – we need some tools which will count unsuccessful attempts of API using and then block such IP’s. Maybe, you have some other solutions…
Any help will be appreciated!
Thanks a lot!