ipfw + DDOS

[Paul Macdonald]

Hi,

I have a nameserver that occassinally gets blitzed for a few minutes by a high number of dynamic and changing IP's.

The nameserver doesn't give recursive lookups but 500,000 denied requests over 5-10 mins still hurts a bit.

I use ipfw and had thought that rate limiting connections on the incoming port would help but I'm not sure if this is my best option.  

I've been doing some testing as part of the problem is generating enough traffic to simulate, but then i start to see dynamic ipfw rules kick in and i see very little in the named logs.

Any advice appreciated.
thanks
Paul

--