Here are some iptables rules that Jeff and I have been testing to
 determine their effectiveness in reducing DNS abuse traffic.  Both of
 us have been seeing hit rates of 20-50/second from various IP's.  On
 my own T2, loads were as high as 4-5.  After implementing the
 following rules, my T2 load dropped to a steady 1.0, with a dramatic
 decrease in "bad" DNS traffic.
 
Here are the rules we have been testing with:
 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
 -A RH-Firewall-1-INPUT -p udp -m hashlimit --hashlimit-srcmask 24 \
	 --hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 \
	 --hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
 -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j DROP
 
Basic explanation (please note I am not an iptables expert, so my
 understanding may or may not be accurate):
 
The first line might or might not be needed, and simply opens up port
 53 to UDP traffic.
 
The second line uses:
	 '-m hashlimit' to specify hashlimit filtering.
	 '--hashlimit-scrmask 24' works in conjunction with '--hashlimit-mode
 srcip' to group incoming IPs in "net blocks" using a netmask of /24.
 This allows processing of multiple IPs that come from the same
 netblock but different hosts.
	 '--hashlimit-upto 30/m' in conjunction with '-j ACCEPT' permits traffic to pass that has an average rate of less than 30 packets per minute.
	 '--hashlimit-burst 10' allows for 10 "free" packets before averaging begins
	 '--hashlimit-name DNSTHROTTLE' provides access via /proc/net/ipt_hashlimits/DNSTHROTTLE to the list of all blocked IP subnets at any given moment in time.  You can use any name for this option.
 
The third line is necessary to drop any packets that don't satisfy the
 preceding rule.
 
I believe Jeff is going to follow up this email with equivalent
 shorewall rules.  Please report back with successes and/or failures.
 I'm sure the parameters I've chosen can use much more tweaking.