Can we get a URI-based lockout table for 404 lockouts on different IP addresses for the same page request?
For example, "_query.php". The page doesn't exist. One IP gets blocked for repeated attempts. Then another IP gets blocked for repeated attempts. It's obvious that the requesting systems are related. Once one IP gets banned on that page, I'd like to instantly ban any IP that queries that same page - so that they aren't free to continue probing the system by perhaps attempting many other queries, but a fewer number of times. The log would get the entire URI, after which it would help to be able to manually modify that into a regexp to catch requests that subtly tweak the URI to evade this kind of defense mechanism.
For legitimate queries against a page that is temporarily unavailable, we should also be able to whitelist URI patterns, which will flow past Defender and on to standard 404 handling.
I believe that we can do this ourselves, with information provided in another thread for hooking Defender events and updating the block table. But I'm wondering if this should be a part of Defender's standard arsenal.