Active responses such as dropping and ignoring requests are the only kind of automated response I've engaged in.
Any commercial IPS or Web Application Firewall does this. HIDS/HIPS can be considered too, for extremely small deployments.
Simple WAF rules might block the attacker for a limited time if:
- If the User-Agent is wget or curl or similar automation
- If somebody tries a known, specific, well-defined exploit
- If somebody tries a well-defined category of exploit: directory traversal, SQL injection,
The WAF can be tuned to include blocks for things like:
- requests for pages which indicate a technology you don't have (e.g, aspx)
- requests for common administrative pages /admin.php
IPSes can also do this but are less precise in their signatures as they tend not to provide information on the http protocol, but raw packets instead. This does give them some extra abilities such as detecting attacks on the WAF or proxy itself, or non-HTTP/HTTPs attacks.
These kinds of responses are normally limited to high-confidence signatures. Commercial vendors tend to include confidence factors in their signature information and allow you to limit blocks accordingly.
Snort, McAfee Intrushield, IBM SiteProtector are IPSes which I've used to to this. F5's ASM I've used for WAF responses. fail2ban, OSSSEC, on the HIDS side.
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node26.html
http://ossec-docs.readthedocs.io/en/latest/manual/ar/
Automated blocks are reviewed daily and monitored in real-time. The risk of a signature impacting production is very real. Signatures are deployed on a Dev/Stage/Prod cycle so that new signatures don't reach production without a full test cycle.