This is fine and dandy but there's one point which is not quite clear to me (to phrase it a funny way that what you have said may not apply).
DNS amplifiers used for DDoS return their (amplified) payload to one attacked site using either an authoritative server or more often an open resolver, by using a method as:
* send a small request using fake sender to the amplifier ns
* the amplifier(s) send large response(s) to the faked target
Now, there's two problem for me:
1) the requests come from customers, and the reply goes back to them. They are DoS'ing themselves (not really distributed if you attack yourself)
2) they are using their own designated resolver (it's not open)
[bonus) ingress filtering makes it impossible to have _their_ source faked]
So while I see the amplification I fail to see the point that people are instructed to DoS themselves. Or if it's about DoS'ing the resolver then it is a few magnitudes lower than would be even detectable.
Any more ideas?
g