-snip-
It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network.
Correct. This is why I've chosen a 1 month trial period for only the IP's that were misbehaving. I do wonder though, what the person things that they could accomplish with this. They surely don't think that they'd able to completely separate Amazon from the network with such a small attack?
I dont know the reason behind this, but freaky1's idea of separating amazon from the rest of the network makes the most sense. Amazon does not seem to care, this might be something the attack knew in advance. Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so.
Btw I dont think there is a big difference between manually banning single IPs for a month and automatically banning single IPs for a day each hour if needed. The only advantage I see in my approach is that have clear log file that indicates when the attack stopped (on my node).