Simple enough- setup 1 extra machine that is exposed to the same environment as the machines you'd like to protect, but allow no user logins. Configure the box to track all attempts to log in. Voila- all ip's you capture are bogus (save for the occasional user typo) and can be blocked on your other nodes. Yes, with a large enough botnet pool, every attempt on separate nodes in your network could be done with unique bot, but I don't think the hack has advanced that far as of yet.
Even better, combine this with mosfet's suggestion, and move all the "real" nodes to port other than the standard ssh ones.