What's the right way to block brute force of HTTP basic auth?

view story

http://serverfault.com – Here's my thought, Set a threshold like 30 times in a minute, then block this IP for a few minutes. But If the attacker forge the source IP address, this could block legitimate user immediately. And I'm confused now. (HowTos)