[tmallen]

I think the point is that with so many source IPs, blacklisting techniques are pointless, and given the duration of the attack, timeouts are useless too. What is better is a IP whitelist coupled with a notification if a certain number of logins fail from IPs outside of that whitelist, regardless of the time inbetween. Users with strong passwords could disable this notification but it makes others aware that they are under this attack (possibly).

An even more secure approach is what Linode does. If you log in from a non-whitelisted IP, they require you to whitelist the IP via an emailed link, then you can login.

But that's overkill and the first one is a lot better for casual websites. You store the user's last login IP and you wait for maybe 1024 failed attempts not from that IP, which ought to be enough to suggest a bruteforce attack. You're protecting "bluedog4", not "password" or "1234" which are going to get cracked anyway.