We have a web application and that's been frequently hit with random username and password to find a successful login attempt. We introduced CAPTCHA, random token generation but that didn't stop the hacker hitting our web server. Our web server CPU reaches 99% usage level and it slows down the website for genuine users.
We need to know whether there are any ways to stop hitting the web server(maybe on the client side itself). I don't know whether it's possible. Can someone tell how to handle this?
Additional info - hacker hits our site from 1000 diff IPs, we blocked all those but he is coming with new set of IPs every time. Also, he has million+ username and passwords stolen from some website and he is using those on our site.