I know this is a big one. In fact, it may be used for some SO community wiki.

Anyways, I am running a website that DOES NOT use explicit authentication of users. It’s public as in open to everybody. However, due to the nature of the service, some users need to be locked out due to misbehavior.

I am currently blocking IP addresses, but I am aware of the supposed fact that many people purposefully reset their DHCP client cache to have their ISP assign them new addresses. Is that a fact? I think it certainly is a lucrative possibility for some people who want to circumvent being denied access.
So IPs turn out to be a suboptimal way of dealing with this. But there is nothing else, is it?

MAC addresses don’t survive on WAN (change from hop to hop?), and even if they did – these can also be spoofed, although I think less easily than IP renewal.

Cookies and even Flash cookies are out of the question, because there are tons of “tutorials” how to wipe these, and those intent on wreaking havoc on Internet are well aware and well equipped against such rudimentary measures I would employ.

Is there anything else to lean on? I was thinking heuristical profiling – collecting available data from client-side and forming some key with it, but have not gone as far as to implementing it – is it an option?