Incident response to being scanned

[Bob Kelley <b0bk3ll3yjr () adelphia net>]

In reviewing my firewall and web server logs, I see repeated attempts from 
several ip addresses to scan my network as well as infect my webserver 
with code red.  The source addresses are not always the same.  I am 
confident that I don't have any holes in my firewall and my webserver is 
up to date.  I perform weekly vulnerability scans of my equipment to make 
sure I am covered. 

What is considered the best practice for dealing with these incidents? 
Should I be filing abuse reports with the ISPs of the source IPs?  This 
obviously takes time.  I am looking for a business case to justify the 
time spent responding.  

Thanks

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------