What about timing? What about breaking up segements of the network to be scanned by different hosts?
Its realy a matter of getting a sizable 'line mine net' up. With dshield, I hope to ultimately have a couple in each AS, probably with some local aggregation. The trick is that you use other people's line mines. It doesn't help you to use your own. Scan & exploit often come in one package so by the time you figure out you are scanned, you probably already lost a few hosts. The trick with distributed (or 'collaborative' as I think it is better called) intrusion detection is that whoever gets scanned first tells everyone else. Also: This has to be automated. Because whoever gets hit first is probably too busy cleaning up to worry about posting all the gorry details on this or any other list.
How many hits on the linemines constitute blocking? Are you blocking hosts or networks?
up to you... Setting too much of a policy would make the system predictable and vulnerable. (attacker knows: only scan 99 hosts from each zombie...)
Either way, what about dynamic ips?
blocking a network will take care of them. Other than that: for a DSL/cable line the IP will not change much, and for a dialup line they would have to hangup&dial a lot to get a good IP distribution.
What about scans done from different networks other than that which the supposed attacker is originating from.
Well, then these networks are marked as "attackers", which is ok. The can clean up their systems and enjoy full access again.
Its Universitys, unsecured wireless lans, etc.
same thing: if you run an unsecured wireless network, maybe you shouldn't have given it access to the net in the first place.