Yes, the performance impact is very much a deal-breaker for this kind of thing.
I had not mentioned another option previously. Please keep in mind that this option can be a dangerous overkill for your use case.
You could use CloudFlare in front of your site and have it block entire ASNs (example). CloudFlare can do that as they are a network provider themselves, therefore they get the BGP tables. This allows them to correlate IPs to ASNs virtually instantaneously. That's a deeper level of insight that anyone below the level of an ISP simply does not have access to, period. This is an oversimplifications of what is going on, but it works well enough for the purposes of explaining this feature.
Be very careful if you decide to go the ASN filtering route. I only recommend it when you are under heavy, sustained attack (DoS, DDoS), and only as a temporary measure while the attack is in progress – that's the only context I ever use that feature. I would not recommend this as a general purpose blocking method. It's the networking equivalent of being granted genie wishes: you always get exactly what you asked, never what you actually meant.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!