Undetected DNS amplification attack

For past week we have been the recipient of a continuous DNS amplification attack campaign. (No doubt so are others.) An attempt occurs every 1 minute.

02/06/2021-12:43:59.470926 [Drop] [**] [1:2016016:8] ET DOS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} ->

This was, well, tolerated since suricata was blocking the attack.

Since yesterday another DNS amplification attack has been started, and it is NOT detected by suricata, and is much more active.

Any suggestions how to stop the attack?
Is there a rule I could modify to detect this?

Each instance consists of two queries:

A tail of the EVE log (now 3GB) is here:

No help?
Is it a dumb request?

Is it really a DNS amplification attack? Seems like you are getting both DNS queries and their answers.

Are there any repeating traffic patterns?
One hacky solutions is just dropping all traffic from

drop ip any -> any any (msg:"some message"; sid:1;)

A more advanced solutions could be inspired from this 6.30. Xbits Keyword — Suricata 6.0.0 documentation

I am not sure. Given that our DNS server was hit with over 600 queries per second for two days, asking the same query for ftx.com, I thought it might be.

Yes. Each IP made the same two queries. The IP set was from a relatively small group of IPs of about 20 networks.