Some kind of option that can be added at the creation of the droplet to use switch or router level blacklists? This way those of us that want set-it and forget-it protection can just turn this on, maybe use a protected gateway. Those who may be doing security research and want to see all the ugliness coming in to analyze logs can just not enable the protected gateway. A win-win for everyone. Maybe even a way to collect data from the hive to report offenders or attacks automatically, protecting everyone.
Starting about a year ago all of my servers started experiencing continuous brute force SSH attacks (usually originating from China). I installed fail2ban on my personal droplet and then on to 6 other droplets I manage for clients. Watching my email notifications come in, I quickly realized I had to up my ban time to at least 3 weeks. Still the attacks kept coming, even ones that were banned for 3 weeks came back for more. My iptables were filling up with IPs to block and my inbox was getting inundated. I thought to myself, digital ocean has to know their networks are getting flooded by these same repeat offenders, negatively effecting everything from their clients to their networks, but they have done nothing to help us. Can you start blacklisting and blocking these IPs at the switch level to help us admins, Right now we're all easy targets, wasting bandwidth and CPUs cycles on attacks that can and should be blocked.