Good job Cryptowatch.com !
If I understand it right, the chainalysis mode of operation is for them to connect to as many nodes as possible, so if I do a transaction directly from ip A, which runs a full bitcoin core node, be it on a cable-connection or otherwise, if cainalysis is connected to the node where the tx is orginating, the ip-address of the node where the transaction was orginating is recorded within the chainalysis database.
They may also try to reproduce the experiment done by 3 researchers from the University of Luxembourg :
http://arxiv.org/abs/1405.7418If it's their mode of operation, blocking these IPs at individual node level won't be enough since information is leaked by the 8 outgoing peers.
It would require that all full nodes block these IPs. But as you've stated, that sounds like an unenforceable policy...