"Sometimes, if a computer system is affected too much by a port scan, one can argue that the port scan was, in fact, a denial-of-service (DoS) attack, which is usually an offense. "
Rate limit target IP subnets. 0.1 second timeout per port per IP: ten ports on one IP delays a second, one port on everything in a /24 delays 25.5 seconds. It's useful without being abusive.
http://www.sans.org/security-resources/idfaq/port_scanning_l...