Good question! The fact you've got a thousand users on the same IP doesn't really change much honestly. Like I said, when you see this kind of attack happening it usually stands out in your monitoring. The trick is writing the filter rules to target it.
Using IP addresses as filter / block criteria isn't very effective so most don't do it. Any attacker even a slight clue is hopping all over IP blocks to route around IP blocks so effective filtering rules use things other than IP addresses.
In short, the fact that your "signal" (attacker) is using the exact same IP address as the "noise" (everybody else using the IP address) shouldn't be a problem.
Using IP addresses as filter / block criteria isn't very effective so most don't do it. Any attacker even a slight clue is hopping all over IP blocks to route around IP blocks so effective filtering rules use things other than IP addresses.
In short, the fact that your "signal" (attacker) is using the exact same IP address as the "noise" (everybody else using the IP address) shouldn't be a problem.