Logically, this is incoming traffic.
You cannot get rid of incoming traffic on your network interface in any way. You can not let packets into the system, yes.
In this case, you need to cut the attack where the traffic becomes outgoing. For example, ask the hoster to cut the UDP incoming to you, or climb behind some cloudflare or other anti-ddos protection.
And the ddos-amplification attack on you is coming.

Many people usually close this traffic, since it is difficult to protect against UDP, this is essentially a powerful attack due to the port, and there you can increase the incredible power of DNS Amplification. in centurion gigabit.

Cloudflare won't help, they only protect against layer 7 attacks.

Hello! i have the same problem. There is a piece of iron Mikrotik ccr 1036, behind it is a server. The channel width is 1G / s, some weirdos have been ddosing our IP address for the 3rd week already. They just stupidly pour garbage udp traffic on all ports in a row in the range from 4120 to 59000, which causes an overload of the incoming channel speed up to 970Mbit, respectively, the server cannot access the Internet and there is no remote connection with the microtome. What I just didn’t do, what blocking rules I didn’t write! Drops into the firewall, blocked ports, closed the external on the micro, nothing helps! It seems that the attacks are reflected by the rules of the microt, it is clear that it is blocking, but it seems that it does not have time, the channel is still loaded at 100%, despite the fact that 1G / s! none are 100Mbps. Climbed all Google everywhere they write that protection is possible only at the level of the provider, which, unfortunately, does not care about DDoS attacks, they stupidly prokidyvayut Internet channel, works and works! on the left traffic they are on the drum. What do you kind people recommend?