More or less like this:

var http = require('http');
var ipTables = {};

var server = http.createServer((req, res) => {
    //Ваш обработчик запроса или express/connect вместо него
});

server.on('connection', socket => {
    var ip = socket.address().address;
    var time = Date.now();
    if(ip in ipTables) {
        if(time - ipTables[ip].time > 3000) {
            ipTables[ip] = {
                count : 1,
                time
            };
            return;
        }
        ipTables[ip].count++;
        ipTables[ip].time = time;
        if(ipTables[ip].count > 100) {
            socket.end('HTTP/1.1 429 Too Many Requests\n\n');
            socket.destroy(); //Обрываем соеденение, так как ip ломится слишком часто
        }
        return;
    }
    ipTables[ip] = {
        count : 1,
        time
    };
});

server.listen(80);

This is not a node to do.

BAN=5^T;
Trigger: 5 qps (5 (queries per second) requests per second from the same address to the same URI)
Trigger fired 1st time: BAN+=5^1 (5 seconds ban to the remaining time)
Trigger fired 2nd time : BAN+=5^2 (25 seconds ban to remaining time)
Trigger fired 3rd time: BAN+=5^3 ((~2min) 125 seconds ban to remaining time)
etc.
The number of triggerings (counter) of the trigger is incremented until the BAN time expires. As soon as the time is up, the trigger counter is reset.

1. Proxy traffic through nginx (instructions in google)
   
2. Set up DDOS protection (and many other useful things) in nginx (Google instructions)
   
3. Profit)
   

If setting up protection in a proxy or load balancer is not an option for some reason, you will have to do it in node.js
I use the rate-limiter-flexible
package Allows you to limit traffic, configure additional rules, and it also has blocking and insurance strategies if you have node.js running on a cluster or multiple servers