Prevent UDP flood DOS (outgoing!)

What would be considered the normal Packet Per Second rate for traffic originating from a cpanel server to a specific single destination IP (end user)

Recently had a script uploaded via a CMS exploit that was DOS'ing people with a UDP flood.

I've since removed the script and also disabled the offending CMS so that the user can upload a clean copy and also ensure it's patched. but I'd like to try and take some measures to prevent such a thing occurring the future

I'd also like to take some additional measures that minimise the impact should anyone else manage to do something similar, one of the things I was thinking of doing was limiting the UDP packetflow per destination

I was thinking anything over X PPS gets dropped at the firewall before it even egresses my network but i'm not entirely sure what a resonable number for X should be.

 

Currently testing 100Packets per second per destination with a temporary burst of 500PPS allowed.

Although I do have the capability to firewall on the Cpanel box I actually do the majority of the filtering prior to egress from my (albeit virtual) network.

Hoping to get a 2nd physical box shortly in which case i'll probably actually buy a proper router but for a single server with relatively low traffic a Vitalized router works fine.

Using a vitalized instance of RouterOS which handles my routed subnet and also does the filtering between the physical NIC and the VM's running on the server

 

I have the firewall, as I tend to use the LFD component from it, although I prefer to set the bulk of my firewall rules on routerOS firewall as It's easier to manage.