Situation: I am currently seeing a huge wave of incoming DNS requests arriving in burst of around 85 queries per 2-3 seconds from one IP. Then another IP sends a new wave and so on (currently my DNS service is turned off, so that it does not take part in what looks like another amplification attack).
Question: Is there a way to set a query limit per IP?
It is very unlikely that the same client needs to resolve more than 2 or 3 domains within a second, so that sounds like a reasonable step.
No shipping version of Windows Server has any built-in functionality to do rate-limiting like you're looking for, either in the IP stack or in the DNS server. You're stuck putting a firewall that can rate-limit in front of the Windows machine if you want this type of functionality.
Philip is is possible that you are running a public Recursive DNS server?
I see that you currently have disabled your DNS service but your IP is most likely still in the 'servers to abuse' list of criminals.
What you can do:
Check if your public IP is listed on: openresolverproject.org
Disable recursion on your DNS server completely or only listen on an internal interface. See http://technet.microsoft.com/en-us/library/cc755068.aspx
Have a look at Bind DNS server under Linux. Its free and allows you to configer from what subnets you want to allow recursion.
Blog post on directedat.asia domain: http://dnsamplificationattacks.blogspot.com/2013/05/domain-directedatasia.html
