Shell Provider - DDoS Attacks - IPFW Ratelimiting

[PsYxAkIaS (FreeBSD)]

Hello all,

I currently administrate a shell provider that has several problems with DDoS attacks. Most attacks are with infected botnets(I've seen even 5000+ ips) that use icmp or tcp flood on 21/80/113(ftp/http/ident) ports and/or sometimes udp flood. Our connection is 10 mbps and we are planning to move to 100 mbps. However I am trying to find some solutions to limit the problem like cisco firewall or some special technical support from the colocation isp (Internap) because sometimes attacks are over 100 mbps like 300-350 mbps.  

-->> FEEL FREE TO GIVE ME YOUR SUGGESTIONS AGAINST DDOS ATTACKS, WHATEVER IT IS, I WILL APPRECIATE IT :) <---

Anyway, In order to slow down DDoS attacks we are thinking to set ratelimit. I recompiled the kernel with DUMMYNET and I am running something like the following:

For example, to limit 400 kbps on 212.*:
----------------------------------------------------------
ipfw pipe 1 config bw 400kbit/s delay 50ms
ipfw add 100 pipe 1 pipe from 212.1.1.1/8 to any
ipfw add 101 pipe 1 pipe from any to to 212.1.1.1/8

I am planning to do the same for each A-Class (I know 400 kbit/s per a-class is too slow but i am trying to help it that way), so even if the attackers use 10 a-classes the max outgoing bandwidth will be at 4 mbps.

My question is, there are also some other parameters on pipe that can slow down a DDoS attack like queue, what would you suggest for it? I found out that freebsd has hardlimit at 100 queue buffers and noticed that some websites that show ethernet's limit of queue buffers is 50-100. Can you explain me a little or give me a url on how it works? Or give me your personal suggestions?

And a last thing, I use right now tcpdump, trafshow, ipfm to trace the source(attackers) and the destination(which one of my ips is attacked) ips. Do you suggest any other tools to make my life easier?

I will appreciate any public or private answer.

Thanks.