You don't even have to wait -- you know something funny is going on from the very first bogus
packet you receive (since the attacker has to send thousands of bogus packets before one of
them will chance to be valid).
That still doesn't tell you what to do, though. Besides page the sysadmin, I mean, which
isn't going to be very effective on a consumer router.
I guess one of the pieces of information you can extract from the bogus packet is what cache
entry the attacker is trying to poison, and then treat that entry more carefully -- e.g., you
could put a flag on that entry, and when you receive an apparently valid value, if the flag is
set then you clear the flag but *don't* cache the value you received; this would mean that an
attacker had to spoof you on two transactions in a row without sending any bogus packets in
between in order to successfully poison your cache. You can tune how many bogus packets are
required to set the flag and how many valid responses are required to clear the flag to
trade-off between safety and joe-job potential, but really if someone is flooding you with
thousands of UDP packets then running even dozens of extra queries is not going to be your