Set up an Amazon CloudWatch alarm to monitor access patterns, establish a threshold based on IP address activity, and configure the alarm to automatically add offending IP addresses to the web ACL’s deny list.

Enhance protection by deploying AWS Shield Advanced alongside AWS WAF, ensuring the ALB is designated as a protected resource.

Create an Amazon CloudWatch alarm to track IP address usage, set a threshold for unusual activity, and program the alarm to trigger an AWS Lambda function that inserts a deny rule into the application server’s subnet route table for any suspicious IP addresses.

Analyze access logs to identify patterns from attacking IP addresses and utilize an Amazon Route 53 geolocation routing policy to block traffic from the countries associated with these IP addresses.