incrediBILL - 12:50 am on Oct 21, 2010 (gmt 0)
Even if you were able to block all the IP addresses, you are blocking unsuspecting victim macbines from your site in the future.
You don't leave the IPs blocked forever, at least I never have, just long enough to mitigate the attack and wait for them to go away.
Most often there's some other flaw in the attack that allows it to be filtered by the type of traffic, not the traffic source, which basically ends the problem without blocking IPs.
I've had to actually block entire countries like russia, ukraine, china, etc. before to stop an attack and I still block china just to keep the spam out which turned into a near DDOS on it's own!