Well, I just did some reading about max_input_vars and DDOS, it was enlightening. Now I understand the emails I get from WordFence about increased attack rates with increasing numbers of $_POST values. Quite honestly, I was not aware of the reason for PHP to limit this, but now I know something new I did not know yesterday.
At any rate, a good security plugin, like WordFence does a decent job a blocking these types of attacks, and depending on what country they are coming from I simply block the IP address permanently.
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users