One of the things I noticed in the attack yesterday was that they used hundreds of IP addresses to all attack the same URL. If I blocked the URL they just changed the botnet to target a different URL. CSF Firewall and Litespeed Anti-DoS were not picking this up because of so many different IP addresses. But what I noticed is that the same IP address would come around and tag it again with say 5 minute intervals. I wonder would there be a way to detect this type of attack since the same IP keeps hitting the same url within a specific amount of time, without creating false positives to say things like RSS feed readers? Would this be something litespeed could defend against?