Because HTTP is stateless, there's no definite way to know that two hits are coming from exactly the same person (or even the same browser).
You could watch for many failed attempts from the same IP address, but that will get false positives on proxies, and false negatives from AOL or dialup customers. Definitely don't bother with cookies or referer: any bad guy worth their salt is going to strip those. In fact, it's trivial to construct a LWP-based bot that blows both of those off.
-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.