In case of attacks that originate mainly from a few networks it would be good if the generated filter rules would instead of excluding source address summarize the next big source prefix. This way filtering could prevent to create impact to regular users of a service / port.

Example:

The Attack originates from the ip addresses: 192.0.2.2, 192.0.2.5, 192.0.2.45 and 192.0.2.77 - in this case a flowspec rule that filters 192.0.2.0/24 would be the best option to prevent filtering legitimate traffic trying to access a target.