reCaptcha would help to prevent users (bots/scripts) to login.
When the attack is on a service, so a script flooding your web services e.g. you could implement a protection mechanism by adding delays from the community commons module. You could log the user that is creating the request and based on a treshold delay the actions. Maybe at first add a delay and after a second treshold deny actions by blocking the user’s login (setting the user to inactive).