Interesting read on request versus response rate limiting.

We've recently been the reflection point in a DNS-based reflection+amplification attack. We implemented some rate limiting to prevent it, and as part of my research on this topic I found this discussion to be fascinating. In particular, the trade-offs between request rate limiting and response rate limiting... It's about half way down in this dns-operations thread on "DNS ANY from Amazon".