incrediBILL - 9:41 pm on Aug 29, 2013 (gmt 0)
Not a big fan of playing with iptables although I've done it many times. Unless you specify specific ports in iptables you're blocking all access (email, etc.) vs. doing it in Apache which only impacts port 80 usually.
Apache pre-processes and caches stuff so it's pretty fast even with 10s of thousands of DENY statements. There are tricks to make it faster, some not in .htaccess, including RewriteMaps and indexed DBM files.
My preferred method is to do the same in MySQL and PHP at the beginning of all your scripts or files and keep all the data crunching out of Apache because it's flaky at best.
The real problem is blocking IP by IP as you encounter them is just a waste of your time because they have new IPs as fast as you've blocked the old one which is why blocking entire countries and data centers cuts through the chase and gets to the core of the problem.