What's an FTP source?
The last tally I did, I was blocking 28% of IPv4 space. But remember, because my web server is on my own hardware, on my own static IP, I can shift my IP-blocking to my router (a $100 ubiquity EdgeRouter 4). That 28% blocking is a complete block, I don't log attempted contact activity from those IP's (which can be and frequently is any port, like in port scans, pings, and attempts to send mail to my domain). Beyond that, a separate IP blocking list is just for SMTP (email) and another for HTTP/HTTPS. I do log the drops from those 2 lists.
So for example I see today that 109.71.43.65 knocked on my door (port 80, so http) 4 times but was dropped (and logged). It wasn't on my primary drop-everything list, but it was in my http/https list so it gets logged. From the other side, the effect is the same - they see dead air. No response. I look at that IP (AS24768), I look at the prefixes (65 CIDR's) and their descriptions and say Yup, you're useless to me, and all 65 CIDR's get added to my block-all-no-logging list, and I'll never see those IP's show up in a log again. So this is way beyond identifying the big players like Hetzner or Digital Ocean. Large parts of Goog, MSFT and AWS are also in my drop-don't-log list. But for those I have to make sure I'm not blocking sources of legit email.
The big deal now is residential proxies, and just lately I'm testing a few new HTTP header filters (which naturally are implimented on my web server, not the router).
Something I'm seeing very recently (but haven't back-tested) is this: I see page requests (so requests for some-file.html) where the referrer is also some-file.html. That doesn't make sense to me, but it could be an attempt by a bot to fill in all relavent header fields to look legit. Or a request for my landing page (which could be default.html or index.html) but the referrer is www.my-domain.TLD, which again I can't see how that makes sense. A legit hit would have either a blank referrer or a search-engine referrer.
