Are there generally accepted tactics for protecting Django applications against this kind of attack?

django-axes is an existing app for detecting failed login attempts. There is also a more general django-ratelimit.

You can:

• Keep track of the failed login attempts and block the attacker after 3 attempts.
• If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts.
• You can also increase the time between login attempts after eached failed attempt. For example, 10 seconds, 30 seconds, 1 minute, 5 minutes, et cetera. This will spoil the fun pretty quickly for the attacker.
• Of course, choose a secure password as that will keep the attacker guessing.

I prefer django-defender. It starts as django-axes fork with redis as backend to store fail login attempts, blocked users, IPs so it much faster than django-axes.

There are many libraries available for it like Django-axes, Django-defender, Django-ratelimit, these libraries mentioned all do the same thing (with a few differences between them). You can choose the one which best suits your needs.

If you are using DRF, then you don't need an additional library (axes, ratelimit, etc.) because DRF already has the throttling functionality build in.

You can check this question :**How to prevent brute force attack in Django Rest + Using Django Rest Throttling **