Create an authentication stage that will "lock out" a particular remote host (identified by IP) after a given number of authentication failures within a give period of time. Such a lock out would be authentication mechanism and SP agnostic.
This stage would require that a proxy sitting in front of the container running the IdP properly pass in the correct X-Forwarded information, but that's a requirement the IdP already has.
A group of clients that are aggregated by a proxy (e.g., "the AOL problem") would cause issues for this stage. As such, one configuration option probably needs to be a list of IP ranges to ignore.