[dadum]

Unfortunately it doesn't look like that would do any good here.

With over 200k different botnet controlled machines, all that tracking the IP sources would do here is create massive blocklists. There's already evidance growing that the botnet is trying 2-3 passwords per source IP - effectively bypassing existing limiting plugins.

A solution to the above is to limit the logins per account per timeframe, but that just locks the legitimate users out, causes the botnet to spread out the attack over longer periods, and ultimately only has a negitive affect for the user.

The Hosts are feeling the pain though, i've seen some hosts are disabling access to wp-login.php entirely, this tells me that the shared hosts are having resource issues, so a limit-login style plugin would do zero to help them, it'd still cause massive problems for the host.

WordPres, Joomla, and other smaller CMS's are being targetted here, so this is by no means just WordPress's problem either.

[uptown]

I get what you're saying but if the default setup were to rate-limit per-account logins, there'd be little reason for these botnets to do what they're doing. They don't want to block admin access to their CMS. They want to have actual access. Effective rate-limiting per-account would kill the effectiveness of their efforts.

[navs]

Indeed a massive pain. I've been getting alerts from dreamhost regarding increased memory usage. I have http://www.wordfence.com/ installed and my blocklist only increases.