Seems to me like it would be pretty simple to block a group of IP addresses to stop an attack. Unless someone brought something inside, then it might be more difficult to isolate, but not impossible to stop.
Once the system is compromised and your internal servers become the attack vector, you’re screwed.