Re: "Most traffic is malicious" argument does not hold up
Not necessarily. It could be a co-opted IP that's ALSO being used for legitimate traffic. Or worse, spoofed. Blocking such an IP would be like throwing out the baby with the bathwater. Expect defections.
In the short term, I still don't care. if I'm getting high volume malicious traffic from an IP address - for instance as I have said, a dictionary attack on an email server, where hundreds of connections are being attempted every second, then a deny rule in the firewall stops that traffic dead, and prevents the server being overwhelmed.
It doesn't matter if it's an IP that belongs to someone's infected computer, a Tor exit node, or is spoofed, the deny rule stops the traffic hitting the server, and that's my primary objective.