It is relatively easy to autoblock such scanners at a gateway due to
the large address space that we have, and its relatively sparse use.
Once you notice a lot of incoming traffic on unallocated subnets,
you know it is from a scanner.
We do this for HamWAN's (BGP-announced) address space. We have a couple intentionally-dark IP addresses, and if the edge routers detect packets destined to these addresses, the source gets blocked in the firewall.
Our reasoning is something I haven't seen addressed in this thread yet. Beyond the edge routers, there are parts of the network that transmit on amateur radio. As control operators of this network, we have an obligation to ensure that regulations are followed as closely as possible. These scanners are traffic not initiated by an amateur radio operator, so we try to block them from reaching the part of the network that uses radio.
Tom KD7LXL