One of my client's websites came under attack last week. From what I've been able to work out, it appears that they were using a script to bombard the bookings page on an accommodation website. This meant a load of fake bookings and emails generated by the form. I've put a few extra measures in place including a stronger captcha which seems to have stopped the problem.

However, the bandwidth figures for the site have gone through the roof since the attack started and are causing me major problems to keep the site up without running out of what I'm allowed by my hosting account. I'm assuming that their script is still calling the page every 5 mins or so, as the logs showed, and even though they're not causing the same levels of problems as last week, I'd really like to know what I can do to stop them from eating up my bandwidth. There's a lot of photography on the site so any page call is going to use up quite a lot of bandwidth.

I do know that they are changing IP address after every 5 or so calls. There is no sign of them on Analytics so am assuming that they are accessing by script rather than actually visiting the site.

Not 100% my area of expertise and any thoughts or suggestions would be hugely appreciated.