Are the IP addresses within a similar range to each other or completely random? If they're random, how do you know it's clickfraud and not just actual visitors hitting your site and leaving because they're not interested?

It is very difficult to detect, let alone prevent, click fraud, due to the inherent nature of clicks. If you are lucky, the fraudster isn't very sophisticated, and will show themself with obvious patterns such as the same IP (or IPs from the same netblock), or similar types of clicks at the same time of day. On the other hand, a sophisticated fraudster can make themself look like someone who shows up to your sites but does not convert. So you have to decide what your policy will be with respect to paying for clicks. IMO, if for whatever reasons, you're just not getting what you want (conversions, sales, etc.), you should cancel the account, at least on those nonconverting channels.

(Disclaimer: I have always thought CPC was a bad idea from a technical and business perspective.)

geobals, that's a $64,000,000 question that many, many people are working on right now (and probably for many years). You simply cannot prevent click fraud ... you can only hope to detect it, after it has happened.

Say you decide to use IP addresses as your filter.

If you have a lot of AOL visitors, that's useless because AOL recycles the IP addresses of users dialed-up to it about every 10 minutes. What looks like the same user hitting you 15 times is probably 12 users.

Say you decide to use user-agents ...

Simple to switch the user-agent data. Useless.

Say you'll use the MAC addresses ...

Not reliable, and easily disabled by the user.

Say you use a combination of these and more ...

What if the fraudster is only clicking three times per day? What if they are using a round-robin of proxies? What if it's a bot that modifies its profile every 2 hours?

So far the idea that works the best is very time-consuming and not at all guaranteed: filter and visually inspect your log files and the logs from your CPC provider(s) and correlate that data then try to manually identify suspicious behaviour, then try to get refunds from your CPC provider, arguing with them that the fraud they didn't charge you for (because they are trying to detect it, too) wasn't ALL of the fraud, and they should refund you for what you discovered.

There is no easy answer (or even a complicated one), but when you come up with a system, please let the rest of us know about it! ;)