It seems that Algorithm::FloodControl was written for just that purpose. You would give it a limit_name of the requesting IP and it tells you whether that IP made too many requests already. If so, you could insert the IP address and an expiry time into a database table and reject all requests from that IP until the expiry time is reached.