1) Does the Ip offer a provider range that is likely be to reoccuring and as a result require an expanded range (larger) of the provider.

If the "error logs" are simply that and generated 404's or 403's?
Why take any action at all?
In most instance, a solution would only provide insight to these folks that your aware of their activities and they may return later with either a more effective and/or deceptive attempt.

The denial of IP's or UA's alone, are not CPU heavy.
Rather, scripts, domain or IP verficiations configured into you server (via htacess) are, what results in CPU load and SLOW.

Don

If the [logged errors] are simply that and [all of these requests] generated 404s or 403s, why take any action at all? In most instances, a [specific coded] solution would only provide insight to these folks that you're aware of their activities and they may return later with either a more-effective and/or more-deceptive attempt.

This is a very good point, and should be emphasized.

Jim

They are 406 errors.

Same explantion as 403's and 404's.

406 Not Acceptable
The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.

Usually, this means that the requestor sent an Accept (MIME-type), Accept-Language, Accept-Encoding, and/or Accept-Charset header that your server configuration does not support.

If these requests are costing you too much bandwidth, you could take a look at those headers and use some combination of them to build an exclusion policy that would cover all of these requests, without having to rely on IP address or range detection.

It's pretty odd that they're sending 'uncommon' values in these Accept headers, but you can use this to your advantage.

Jim