You cannot really prevent connections to your server if hes using a different IP address.
You can always do things like detect his mac address and so on but this can be faked very easily so this is definitely not an option but more of a "confuse the hacker".
What you can do is improve your performance by scaling things up:
* Handle login requests on a separated thread
* You can design an architecture with a login server which is in charge of authentication (which is the most heavy process because you are either doing I/O operations or database queries). You can use kubernetes to scale your login server, make it run multiple instances of login server based on traffic (load balancing) so all traffic is split to services which will decrease the load on your login process, but this still causes a load on your database, and scaling database with data synchronization is definitely not an easy task. Think of it as not an attack, you have 100 million users right now, you have to handle it.
* Decrease unnecessary logic as much as possible in the login handling.
* Host on a company that knows what they are doing, a lot of companies like radware knows how to handle requests from suspicious sources such as free proxies or paid proxies that are usually used to send illegal spam requests. I highely recommend
[Only registered and activated users can see links. Click Here To Register...] they definitely know what they are doing.
You can play with IPTables or other tools to detect illegal traffic, a lot of companies have machine learning algorithms on this, you can't really be to sure who is a spam and who is real.
Using RSA and updating the keys every few hours and make your players automatically update their client will require the hacker to update their "bot" to get the new keys and might stop him for a bit, but this is just temporary. if he wants to, he will always find a way to go through it.
Comapnies that handle with DDOS attacks have a lot of information, they can detect and block a whole subnet of proxy services, but if the hacker really wants, he can get an expensive dedicated vpn service with million of IPs if he has the money for it.
Other than that I don't really see any way, it's not just an issue in RSPS, its something that every one has an issue with, big companies with real traffic.
Hope it helped, if anyone else has any ideas i'd like to get updated too !