Make a table with (a) IP or IP range (might want to have a 2 or 3-character hash index to speed up lookup) (b) most recent access time (c) number of requests made within x seconds of most recent access time. If the number of (c) goes over a certain limit, ban them using .htaccess. Also run a cron job every few hours that reduces the (c) count by 1 every hour or something, so legit users who access too fast every now and then won't get auto-banned.
If the user is logged in, you can of course do this with their user name instead of IP.