I've just blocked 220.127.116.11. I haven't been paying heed to my Dshield reports and when I compared two reports today, I saw the same IP generating many hits. I checked the firewall logs and processed how many alerts this IP has generated. I found that the attacks began Nov 18th and the total number of alerts are 863.
This IP was a prime candidate for blocking.
Why don't I use Snort-inline? Because I don't have that much control over the network that my host is on (its a colo box running on a virtual server). So, I have to do things manually...it's not a problem, as it keeps me on my toes.
EDIT - I actually blocked 3 other IPs also. What's funny is that I saw one that was trying to connect on port 3389 (MS Term Svcs)...to a Linux machine...