I suspect that this might have been a botnet showing off to its potential clients. This may explain withholding of the domain names queried (not to give advertising to the botnet).

"Source Address Validation and BCP-38." ISPs should validate the source address of UDP traffic from their end customers. This would end most UDP based volumetric DDoS attacks.

The beauty of DNS: No one was affected or noticed the problem. Resolvers just tried another one if they didnt get a response from one of the root servers.

So what were the domain names queried?

related ?

Day 2: UK research network Janet still being slapped by DDoS attack DNS services appear to be targeted, switching may work

http://www.theregister.co.uk/2015/12/08/uk_research_network_...

What made this unique now? Was it simply a high load?

Why is root-servers.org not https?

Is there significance to NTP requests in relationship to DDOS?

They don't mention otherwise but do we know if the attack has happened again since 1 December?

China testing something new? Or maybe some scriptkiddie testing their new botnet?

Donald Trump's failed attempt to shut down the Internet.

I bet the observed "random" source addresses are open recursive DNS servers. For this kind of attack they provide essentially free traffic-washing for whatever actual traffic-generation mechanism the attackers have.

what was the query string?

Rooftops?