Actually, what we are seeing does not appear to be an amplification
attack. It appears to be a request flood from infected machines.
We have anti-spoofing filters on our upstream connections as well as our
subscriber's access lines. The source addresses are not spoofed. They
are valid subscriber source IP's.
Based on some cached entries I have found in other nameservers, CTRC.CC
was apparently hacked and was delegating a number of subdomains to
another nameserver that was issuing the 4K TXT record. The delegation
has now been removed, and the nameserver they were delegated to appears
to be offline.
