I would like one that counts by number of unique IP addresses within a class.
So this didn't work as *I* had intended- by your mentioning ddos mitigation it is clear that you meant this to be use against rapid fire bombardment. I, on the other hand, thought it would be useful to block repeat offender "bullet-proof" type hosting botnets.
I was hoping to trap a class C host - full of comment spam, brute-forcers, etc... i.e. if we spot patterns belonging to particular datacenters know to harbour baddies - 25 or more IP addresses in one class C block (~10% "abusive" addresses out of your 255) - you get blocked.
The netblock function here - configured to trigger on 20 blocks (the maximum the form allows us to choose) within 7 days - blocked a whole class C when in reality, it was only 4 questionable IP addresses.
Time: Fri Oct 13 21:21:52 2017 -0400
Block: 159.220.78.0/24
Hits: 21
IP addresses that triggered the block
Sat Oct 7 05:39:53 2017 159.220.78.114
Sat Oct 7 05:40:38 2017 159.220.78.115
Sat Oct 7 09:43:45 2017 159.220.78.113
Sat Oct 7 09:44:25 2017 159.220.78.114
Sat Oct 7 09:45:15 2017 159.220.78.115
Mon Oct 9 08:54:57 2017 159.220.78.114
Mon Oct 9 08:55:37 2017 159.220.78.115
Mon Oct 9 12:58:33 2017 159.220.78.113
Mon Oct 9 12:59:23 2017 159.220.78.114
Mon Oct 9 13:00:13 2017 159.220.78.115
Mon Oct 9 18:55:05 2017 159.220.78.114
Mon Oct 9 18:55:50 2017 159.220.78.115
Fri Oct 13 08:21:59 2017 159.220.78.114
Fri Oct 13 08:22:44 2017 159.220.78.115
Fri Oct 13 12:25:39 2017 159.220.78.114
Fri Oct 13 12:26:19 2017 159.220.78.115
Fri Oct 13 17:16:24 2017 159.220.78.114
Fri Oct 13 17:17:09 2017 159.220.78.115
Fri Oct 13 21:20:07 2017 159.220.78.114
Fri Oct 13 21:20:49 2017 159.220.78.115
Fri Oct 13 21:21:44 2017 159.220.78.116