Cory Doctrow has a good article on the differences between the speed of detected an attack and the automated response to it and the slowness in recovering from a mis-applied block.

As usual Cory outlines it is brilliantly simple, straight forward terms that anyone can understand. I used this tactic quite a bit when pen-testing in a no-holds bar pen-test. Basically I spoofed UDP based attacks against a host and used the central log servers IP address as the source of the attack. This triggered the HIDS on this host to block traffic to and from the log server. Instant invisibility from the folks monitoring the central log server.

This also realy drives home my issue with auto-blocking web application firewalls.  When your WAF decides to block something one from using your website the really have no recourse that will respond as fast as the blocking of there traffic. If Mr. O’Reilly can’t checkout, he will just move along to someplace he can.

When you deploy any mechanism that auto-blocks traffic you must take great care to think through the methods of blocking, the thresholds where something is blocked, and how to recover from inadvertent blocking of a legitimate person/host.