CBQ would work for your application, but is is not efficient because CBQ is used to shape traffic. You need to do ingress traffic policing.
Here is an example:
Assume that my WAN interface is eth1 and I am limiting inbound traffic from ip address: 18.104.22.168
tc qdisc del dev eth1 ingress
tc qdisc add dev eth1 handle ffff: ingress
tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src 22.214.171.124 police rate 128kbit burst 15k drop flowid :1
The first line clears any existing ingress qdisc on eth1, if it gives you weird output that is fine.
The second line creates an ingress qdisc on eth1.
The third line creates a 128 Kbps bandwidth cap on all traffic coming from IP address: 126.96.36.199. If this traffic comes in at a rate of higher than 128 Kbps the action will be to drop excess packets.
NOTE: This will work if you are using a service that uses the TCP protocol because TCP will adjust its speed when it starts losing packets. If the connection is saturated with UDP traffic then this will not help you. This is not meant to prevent or mitigate attacks.