A denial of service attack is one thing if its smurf but ISPs often rate-limit ICMP as a matter of policy to perhaps 64kbit/second. this may be triggerd only after certain volume etc. A web site is normally attacked with tcp open and perhaps even more it is attacked by sending various buffer overrun and of course brute force password attacks. Blocking Ip packets from the source address of such attackers at even the local host of the web server itself still prevents it from getting up the stack to the application layer where it causes all sorts of httpd processing. Instead you just throw the SYN on the floor. Far more effective than a .htaccess rule at reducing the load on your server. If you can clip it at the WAN gateway router so much the better. Of course one would like to have ISP filter it but no system exists now to distribute in an authenticated manner the IP address of zombies and other attackers. My work includes plans for such mechanisms.