Even if you block a specific IP address rather than a range you're potentially blocking "legit sources", though obviously you're more likely to blog legit traffic if you're blocking a range.

Your assumption that two people sharing the first three octets of their IP address are the same (to 1 in a million) is highly flawed -- most people's IP addresses come from their ISP, company, university etc, and many will be coming through a proxy server -- blocking even a single IP is potentialy going to hit "innocent" users. minor edit on method