This might be naiive ,but a generic approach might be to configure the app to use a front end servlet as a single entry point of entry to the application and control access that way.
If the application is under what you define as a heavy load grab the ServletRequest getRemoteAddr() method and block that address with a servlet filter.
In the case where the attack comes from zombie machines with different senders the idea is the same .You develop a strategy to filter the requests.
Your application server might be helpful in this case. For example Weblogic Server can be explicitly configured to secure these types of attacks.
Please check docs of application server that you use
Joined: May 13, 2009
It depends on your server set up. As Jarek pointed out,if you can filter it at the web server/app server level before it gets to the app ,that is a better solution.
If you decided to do it in the app, as the original post asked, you could put in a timer in the servlet filter that runs in a separate thread and counts the number of times the servlet gets called over a fixed time period like every minute or so. Then reset the counter when the time period expires.