CGI::Application has a plugin called CGI::Application::Plugin::RateLimit that may give you some ideas. Basically for any runmode or action (e.g. accepting logins) you can determine how many calls you will accept over a defined time frame.

$rate_limit->protected_actions(failed_login => {timeframe => '10s',
                                                    max_hits  => 2
                                                   });
[download]

By default it uses $ENV{REMOTE_USER} or $ENV{REMOTE_IP} to identify the user, but you can write a callback to create your own logic for this