Bot Security Query

I have a query here by the client.
So, a client is experiencing bot attack i.e. there are some numbers which are triggerring the OTP even 300 times and they want to handle this and avoid such attacks.
They are using their own APIs.
Has there been such a scenario before ? If yes, how have we handled it ?
Or, for security purposes, what are the solutions that we can recommend to them ?