Blocking the scanner protects us, and tarpitting the scanner helps to protect others, but what really needs to happen is notification of a responsible party so that the scanning activity stops, either through cleaning and securing a compromised or infected host or having the scanner's account terminated and Internet access removed.
To do this, you can watch your logs and manually track down responsible parties and send them email when you're attacked. This is, however, a lot of work.
Fortunately there are resources to automate this process. We'll tie together two tools: LogCheck (now LogSentry) periodically processes new log entries, and DShield serves as a central clearing house for collecting attack data and notifying responsible parties. We'll use LogCheck to collect attack data from our logs, and add the capability to have it mail the relevant portions automatically to DShield.
DShield monitors incoming data from many sites, and when it appears an attack is underway (e.g. enough suspicious traffic is coming from a given IP) then the person responsible for that IP will be determined and notified that a computer in their domain is attacking others.
The benefits to this are:
(covers configuring SNMP to report tarpit traffic statistics, and configuring mrtg to log and report those statistics)