Best method for blocking too many PHP processes due to broken links and 404 errors

I just migrated to a new VPS from shared and don't have many of the configs of the old system. I'm having a problem with a couple of IPs downloading images out of a folder. This is a normal thing we allow but two IPs are using the wrong folder ( one level above where they should be) and it's causing 50-100 PHP processes from 404 errors generated. Every time there's a 404 it calls an index.php and these are where all of the PHP processes are coming from. This in turn eats all memory and crashes mysql and spamd and the site goes down. We allow bulk image downloading of about 3500 images and it's never been an issue until on this server so obviously it's a config I don't have in place. I can see them trying it every morning at the same time and if I kill all PHP processes while they run through the bad URLs I can keep the server from crashing using "killall php". As an example they should be downloading from /home//public_html/images/backup/detailed. This is where all of the images are but instead two are trying to get them from /home//public_html/images/detailed and there are no images there. The 404s happen so fast (1-5 per second) it builds up too many PHP processes. They are downloading via script or a download manager. httpd processes are normal. What is the best method for dealing with this? I need to keep users out of this folder when downloading images but the cart requires /home//public_html/images/detailed to function because there are subfolders it uses for product images. How do I limit the PHP processes from eating up memory? I don't want to block the IP entirely because they are good customers. I haven't been able to get their info by IP to contact them and ask them to stop using the bad URLs plus I need to protect the server from this type of issue with anyone else. Thanks