So we've got a 3725 with the ADVSECURITY IOS, and I've been asked to look at something i'm unfamiliar with. Perhaps you guys would know.
Is there a way I can rate-limit incoming packets (DNS Queries to be exact, but it shouldn't really matter) coming from any single host?
So for instance... host 188.8.131.52 can freely request DNS information.... but if they do it more than x times in a second they're probably up to no good, and thus we just start dropping y% of requests from that IP. I'm certain this can be done in the DNS server itself, but we'd like to cut this kind of stuff off before it ever makes it that far.
And again, just to be clear, we're not working with a blacklist here... we're looking for a simple rule that will just drop packets from any sufficiently noisey address (we're a low enough volume site that it's easy to draw the line between "sensible" and "not", so that won't be a problem).