You could check the IP Address of the request and maintain a list of failed attempts. Based on IP address you can code so that you disallow a specific IP if too many attempts are being made.
You can also block request of an IP temporarily. See this link:http://www.iis.net/download/dynamiciprestrictions