@blockbot iptables at that point. For stuff like that where someone's just doing the same pattern, I just tail the logs, someone passes a threshold and I drop the traffic. If it's enough to actually flood you, normal usage for that endpoint is about once a minute, so say something like more than ten times in ten seconds you could say is unlikely. I check our logs and in the last week, only two IPs hit 4 times in ten seconds and that only happened six times total, so setting it at ten times in ten seconds is pretty safe. So for your log format, something like this would work:

tail -f /var/log/wherever | mawk -Winteractive '
# Normally you'd just use the $vars but I'm setting them here so the post is easier to read:
{ip = $1; timestamp = $4; tenseconds = substr(timestamp, 2, 19); path = $7}

# So, check if they're hitting /api/v1/streaming or I think there's a v3 maybe.
path ~ /\/api\/v[0-9]\/streaming/ {
# Reasonable key, just cat the fields:
ct = a[ip tenseconds]++
# So, ten times in ten seconds from the IP:
if(ct > 10) {
print "Killing", ip
# Or use whatever, ufw or some BSD thing.
system("iptables -A INPUT -s " ip " -j DROP")
}
}
'

Here, they were too lazy to even set a UA, so it was probably just firing off nonsense over netcat (basic optimization for flooding: just abandon the connection after the request gets through instead of going through all the overhead of dealing with the HTTP library, which will do stuff like parse the response headers, etc.). Instead of worrying about thresholds, you could just kill anything that hits you more than once in a second and doesn't have a User-Agent set.

One thing I do when testing this kind of script out is to replace "system" with "print" or put "echo" at the beginning of the program it runs, easy way to do a dry run.