[gurrone]

Yeah recent credential stuffing attacks I witnessed showed that blocking traffic based on AS numbers is very helpful. If your attacker is stupid User-Agent based blocks can be surprisingly effective as well. Beside of that rate-limiting, and if you can, geo blocking can at least slowdown malicious traffic. It's a bit of pity that the internet is no longer a peer2peer network and just client-server. But since you've a lot of server only networks, you can quite safely block them if your API is clients only. You still might see some false positive due a lot of VPN provider traffic. For what it's worth free VPN services now also push a lot of malicious traffic.