So, all DNS server operators have to deal with spoofed UDP traffic, doubly so for open recursive server operators. It requires a lot of fiddling with limits in the software used to detect attacks to adapt the constantly changing attack landscape. Sometimes the attacks look so much like regular traffic that it is tricky to tell attackers apart from real users, which is why many of you have had the unfortunate experience of being blocked as a false positive.
Without getting too technical: UDP traffic can be spoofed. This is primarily true because of lazy or incompetent ISPs not enforcing proper filters on their outgoing traffic.