You could always count how many requests a user is making from a certain ip address, and stop returning anything but an Unauthorized after a certain limit is reached.

This is a pretty simple solution, but would probably do the job. You can cut it off by requests/time interval or like no more than 100 page requests in two minutes or something. You could then either ban the IP, or return error codes for a specified amount of time. That specified amount of time could be something hard coded like 5 hours, or you could just wait for their requests/time interval to go down organically.

function isIpBlocked($ip)
{
    //do mysql query to check if column is true
}

function shouldIpBeBlocked($ip)
{
    //do mysql query to check if number of request over a certain interval is too high
}

if(isIpBlocked($ip))
{
    header('HTTP/1.0 401 Unauthorized');
}
else
{
   if(shouldUserBeBlocked($ip))
   {
       //do sql update/insert to indicate user is blocked in ip_block table or something
       header('HTTP/1.0 401 Unauthorized');
   }
   else
   {
      //update number of requests from this ip address INSERT INTO ip_history (ip, ...) VALUE (:ip, ....);
      //do your web site code

      //maybe do a mysql query to clean out ip_history table for requests that happened a long time ago and check to see if you should unban people
   }
}

You put that code on every page of your site, and it will ensure that users have not been breaking your predetermined security rules.