Comment by badrabbit

It looks like the attack is login based since that's where your captcha is. Allow a single captcha-free attempt to login successfully from a /24. If the login fails then put the /24 on captcha for X hours. That way most login attempts that are legit won't see the captcha. Also, HN crowd I think prefers hcaptcha.

Lastly, what I would do is have users pick a login image, in addition to the password login, they have to pick a correct image in addition to password.So it would still be the process I suggested except a failed login is allowed one time so long as the correct login image is selected. Also, the login images will be slow to load during times of attack on purpose to identify clients that are guessing before the image is served and to slow down their attack. I would also maintain a list of IP+UA that have repeatedly logged in succesfully to exempt or prioritize them depending on the attack.