Yesterday someone started sending me dozens of login requests per second, probably a brute force attack.
I added a captcha to verify if it’s human or not and I was able at least not to allow him to check whether login details is correct or not but to return status 400 right away.
But I want to blacklist his IPs, he uses hundreds of IPs that change every request.
I blocked around 7-10 of his ASNs and IP & user agents but somehow he’s still able to do post request (every 1-3 seconds) to login even though I have enabled Rate Limiting for the login route (POST) and it doesn’t seem to block him.
How does it work then? I’m new to this so I might be missing something.