Are those connections trying to login to IW, SSH, FTP, etc?
If so clearly relying on x failures from y IP isn’t going to cut as you pointed out. Still security is best done in a layered approached and with all the brute force attacks that use a single IP I believe autoblocking is a good thing.
Since security is a journey not a destination as what can’t be done may be possible tomorrow it is good to have layers. In cPanel one could set their account to use double authentication. Even after the correct user/pass was entered, if enabled, cPanel would then ask four questions before allowing a user to continue.
Once a positive login was performed cPanel stored that IP for future access so each additional login wouldn’t require answering those questions. This was good balance because it provided additional security and wasn’t overly annoying.
It is unfortunate so little attention is paid to security. I mean just look at Target. Yeah lets give access to remote companies yet run all network traffic unsegmented. Those keyless car keys have no real security in them and why more advanced thieves have been able to steal the codes out of the air. So many hardware devices and programs are so insecure it is really sad.
I heard one story of a couple that hooked up a baby monitor to their wireless network and due to poor security setup a remote user accessed their equipment and started speaking through the system. Another example are SQL injection attacks. They ALWAYS mean poor programming. It means the programmer(s) failed to sanitize user input; always.
And now more and more devices are rushing to become web enabled like refrigerators, washers, cars, etc and there is no real security thoughts going into these products. Oh and we can’t forget smartphones. That in and of itself could fill TB’s of poorly configured phones and programs.
So yeah I agree with your general idea that this solution won’t stop those quick connects from a single IP but still there is a problem for the attackers. If they want to hit an account and try 5,000 user/pass logins they will need 5,000 separate IPs. Not impossible for bot networks but still it isn’t as clear cut as blasting 5,000 from a single IP. Now ramp that up to 100,000 ids. Yup again not impossible but it takes more than a script running on a server in China or Russia.
So the journey of security continues. I will say do your best to locked down everything you can, whitelist what you can, open as few ports as possible, run multiple layer security when you can, and keep your eyes open for new methods to counteract those crafty attackers.