Hi Nicola
just one thing to comment on about ip addresses is that usually the
focus is not on what / who the ip address is, but what that specific
ip address is doing - so that the dodgy activity can be identified
and circumvented.
ie if there is a vulnerability of some sort in your site, the main
thing to figure out is what that vulnerability is and stop that.
Blocking specific IP's is really only a (very) temporary measure
that can stop the pain at the time; but doesn't solve the
vulnerability. If some exploiter / hacker has found something in
your site that is useful to them, it usually takes them very little
effort to use a different ip.
On some investigations of high usage I have found eg a googlebot or
other search engine ip has been a major user; and that has been
useful info, in that they're not likely to be a hacker / exploiter
:-) (one would hope not). In these cases it has been them indexing a
calendar eg jcal, forever into the past and future - adding useless
data to their search database (fixed by adding entries to robots.txt
so that they don't index the site quite so thoroughly :-)
Using sh404sef with .htaccess on sites also allows greater control
via robots.txt too (ie limiting what you want indexed in eg jcal
other events cal). sh404sef also has an antiflooding mechanism
(which can also be a pain!) that blocks specific ips that are
overzealous about getting content from your site - use with care as
the last thing you want is to block genuine visits on a popular
site; but the logic is sound that if a specific ip address hits your
site too many times in a specified time period, that it may indeed
be something initiated by dodgy brothers inc.
I'd also suggest using the standard .htaccess file for Joomla (ie
rename htaccess.txt to .htaccess on most servers) as that has some
standard rewrites that can slow down exploitative behaviour (someone
else may correct me on this, but I think even if you do not turn on
'sef' in Joomla, that this .htaccess rewrites some known bad
behaviour)
as always - happy to be corrected by others who have had other
experience, but hoping that my comments may be helpful / create a
dialogue.
Cheers
Ian