The problems with trying to block by IP addresses are these:
99% of all hacking and spamming is automated with hackerbots and spambots.
There are usually 1,000′s to 1,000,000′s of IP address that a hackerbot or spambot can switch to automatically if you block 1 of the hackerbots or spambots IP addresses.
Example: You automatically block ip address 100.99.88.77 that a hackerbot or spambot is using. The hackerbot or spambot automatically switches to another IP address: 88.77.66.55. You block that IP address and the hackerbot or spambot automatically switches to another IP address: 200.99.88.77, etc etc etc.
We spent months researching blocking by IP addresses and ended up creating JTC Anti-Spam / Anti-Hacker. JTC is generally a CAPTCHA plugin with additional spambot traps, etc. Here is a link to a forum page where we were keeping track of testing and R&D.
http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/
In general, what is always more effective and performance oriented is to “allow” something vs “deny/block” something. Example: allow only your IP address on your login page – all other ip addresses are denied/blocked. Your ip address is finite and is known. Trying to block all other ip addresses would be infinite/unknown.
1. You would allow access to xyz.com/blah/ for whatever ip addresses you want to allow to view/access this page.
2. Processing an unknown user account name means that your website / server is using its resources and memory to do something with this. If a user account name is not valid then it cannot be used to login to a website with so the optimum method is just to kill login processing instead of trying to do something about this which could be used against your website as a DoS/DDoS attack. Example: hackerbot sends 100,000 login requests per second using a random user account name to your login page – your website and server will crash since they will be overloaded by that attack.
3. That is already available with this Custom Code here: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
We are currently researching methods to throttle the amount of requests to a website, but we are not really sure if it would be that effective since typically DoS/DDoS attacks are launched against a server and not individual websites. Still pending more research to see if this has any real value or not.
Thanks for sharing your ideas!