MxAngel - 9:21 pm on Nov 8, 2012 (gmt 0)
I block traffic from well-known (bad) data centers and spiders / bots.
If I spot bad behavior from an IP belonging to a hosting company / data center, I usually block all IPís belonging to the same host, by IP range, CIDR range or hostname to make sure to catch a maximum of IPís.
Normal visitors donít originate from a webhost although sometimes Iím surprised how many businesses use their mail server or ns servers to surf the web and I need to take that in account too. Thatís why Iíve got a set of ďrulesĒ that apply to a certain type of servers.
Iíve got a total country block on some countries because I had enough of dealing with their daily hacking attempts. Blocking by single IPís is useless as they donít use static IPís.
I added some general detection stuff to simply track IP blocks or traffic coming from a certain type of servers (see note about mail and ns servers); it also detects new bots / attacks and the script connects to sites sharing banned IP data ... I kinda add as I go.