It is a popular tool. I personally don't use it. I prefer to let attackers bang away at my services. My public SFTP servers are the only servers with ssh exposed on port 22 and the attackers are free to play 365 days a year. It costs me nothing and wastes their threads. Websites? Enumerate away!
Why? It helps to know that when you block one IP, you have not blocked a bot. The Command and Control systems manage thousands or sometimes tens of thousands of compromised systems. The C&C can be configured to continue on with a new IP instantly when blocked, though most botters prefer to be a little stealthy so you won't see it return for a while. This gives the illusion that you have blocked the bad bot. The C&C's that attack big financial institutions will also utilize dozens of VPS cloud accounts, hundreds of LTE modems from several carriers. Blocking them by IP is not practical unless you are open to blocking all VPS and wireless carriers entirely which most businesses will not do.
I prefer to entirely ignore IP addresses and generalize protections at the application layer or the load balancer if required. Obvious enumeration or attacks can be sink-holed via load balancers configurations and tarpits/traps easily enough. How to summarize protections? One way is to grab the access logs for the past year and write a script to generate regex patterns to allow/deny patterns I know I will see and know I should never see. If something is really sensitive enough for me to feel the need to block bots then it will not be on the public internet. I will put it in a private network behind a VPN.