Prevent a bot accessing login page with multiple IPs and massive list of username/ passwords
Attack is automated. You can inspect packets coming from attack vs packets coming from your customers. It can be as simple as the HTTP user agent string or can be some TCP header difference (e.g. some strange flag). Then filter out on the firewall level.
My biggest concern is the DDOS element with regards to system load
Then your defences are not appopriate - unless you are blocking the packets before they get to your webserver they are consuming resources (although even if you drop the packets inside your network they will use your bandwidth, but that is likely to be less of a problem).
I've just implemented fail2ban on my sites (actually I got someone else to do the hard work) and its working a treat.
But do bear in mind that mobile devices are much more likely to be using shared IP addresses - ipv6 POPs or "accelerators".
Attacks generally have an end time- attackers don't spend unlimited time on any one target. You could temporarily blackhole route Arizona logins from that ip range coming in via the app to a "we're sorry" page.
You could also leave them able to log in, but put captcha on first attempt vs letting them fail at all.
For unique ip analysis, it can help to throw the IP list in an excel spreadsheet and remove duplicates, see what vanished.