I'd suggest configuring this in an upstream fiirewall.
I haven't delved into the RFC's on this, but WinXP and Linux 2.6 both answer with a RST ACK when a client makes a request to a configured IP on a port which isn't in a listening state:
$ tshark -nr winxp_rst_ack.dmp
1 0.000000 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237
2 0.000045 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3 0.569805 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237
4 0.569852 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
5 1.174020 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237
6 1.174071 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
tcpdump -ni eth0 tcp port 10000
17:33:48.237046 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512
17:33:48.237052 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 844152136 win 0
17:33:48.597120 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512
17:33:48.597125 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 1 win 0
17:33:49.143940 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512
17:33:49.143947 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 1 win 0
uname -a
Linux devserver 2.6.22-14-server 1 SMP Tue Feb 12 08:27:05 UTC 2008 i686 GNU/Linux
Aaron