Restrict inbound API calls using iRule

What part of the environment are you trying to protect? DDoS protection is more complicated than blocking certain clients/requests. For example, is it that the backend servers can't handle the load, or the ISP is the limiting factor, or the SSL TPS of the BIG-IP? LTM/AFM can do the L3/L4 blocking, ASM can do L7. Silverline can do the cloud scrubbing.

ASM can parse the JSON by creating a content profile and you can then act on the key/values of the JSON, limit metacharacters, scrub data for logs, etc. And it can also rate limit at the L7 level to block certain types of attacks. An iRule can also do L7 stuff like you mentioned, dropping/resetting/responding with custom responses based on URI's, headers, POST data, etc.