This. Rate-limiting can help...I'm quite sure Google has rate-limiting in place on 18.104.22.168 for instance. But for those who don't have Google's budget, it's a challenge. There are not currently any sufficiently tested and stable DNS rate-limiting features in any of the top 3 resolvers out there. The problem here is networks letting spoofed packets out of their nets, not DNS servers performing correctly.