[TacticalCoder]

> Block those and you are blocking legit customers.

The block doesn't need to be permanent. There are people out there publishing list of IPs known to belong to botnets and they're regularly updated. You can ban an IP for, say, 72 hours, and update your ipset regularly.

But anyway I've got a philosophical question...

If a customer has its computer owned by a botnet operator and that computer connects to a banking website, is the customer legit?

[monkeynotes]

Well you'd need to know if the customer or the bot is connecting. Both are on the same IP which was my point. Rationally I'd want to block any compromised device regardless of the customer, but it's a complex problem for sure.