The only way to totally stop it is to block the offending IP addresses at the host's firewall. Your hosting service may or may not be willing to do this for you.

On the remote chance that some variants might be smart enough to handle a 403-forbidden code, you can add the following to your top-level .htaccess file, or modify it slightly to work in httpd.conf if you have configuration file priveleges:

# Add options, Enable mod_rewrite
Options +FollowSymlinks
RewriteEngine On
#
# Block MS IIS server security exploits
RewriteRule \.ida$ - [F]
RewriteRule /cmd\.exe$ - [F]
RewriteRule /root\.exe$ - [F]
RewriteRule /shell\.exe$ - [F]
RewriteRule \_vti\_ - [F]
RewriteRule ^NULL - [NC,F]
#
# Block various attacks
RewriteRule ^a\.asp/ - [F]
RewriteRule ^.*\.\./ - [F]
RewriteRule formm?ail - [NC,F]

Another thing you can do is to look up the offending IP addresses using ARIN, APNIC, and RIPE, and report them to their ISPs. Sometimes this works, sometimes it doesn't.

HTH,
Jim