You have a couple of options.

If you are self hosting, use a WAF, CDN or firewall to rate limit access to FusionAuth.

If you are using FusionAuth Cloud, we have protection in place to ensure customers don’t get DDoSed; additionally, all customer servers are monitored for responsiveness and availability.

If you need more rate limiting options, we're working on it: https://github.com/FusionAuth/fusionauth-issues/issues/905

This is not currently handled by FusionAuth. You would have to use another application firewall of some sort that offers rate limiting. Here's an example for nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/

We have discussed adding this feature, but due to the other options available it has not yet been prioritized. Feel free to open a feature request on GitHub.

Please check out https://fusionauth.io/docs/v1/tech/tutorials/setting-up-user-account-lockout which walks you through the steps to lock logins after a configurable number of attempts.