I would imagine that, in a fashion similar to port knocking, if being scanned (regardless of IP), you could blackhole all new connections from non-whitelisted IPs for a period of time.