Since I noticed some script-kiddies to actually launch a distributed cross-site-scripting and directory traversal attacks, and at the same time spawn 5 to 10 jobs per site, the blacklisting reaction time needed to be shortened and enhanced.
What happens now is that the system not only reacts on par with the remote attackers request, but it also tells the firewall to directly terminate all active connections to the attackers IP address.

The first reports have shown that the first request gets barely 2 connections open before these and all remaining in the firewall queue are all terminated. The attacker will see this as if the site does not respond anymore, and due to the new entry in the firewall blacklist - can't issue any new request.