i think your concern is the mirror image of what i expect. all udp is
suspicious, and not just due to ddos, think also exfil and infil.
managed private networks (like family and corporate) may allow udp/443
as an exception. some of the more activist service operators will move
to non-443 ports in order to make this expensive. ("defenders gonna
defend.")
managed public networks (like those in china and russia) certainly will
not make an exception for udp/443. content they can't inspect will be
criminalized, as before.
managed private networks may become stateful for udp/443 flows to allow
outward but deny inward, since there is not a visible "SYN" bit, as
there is in tcp. state in digital systems is like heat in dynamic
systems, and "state death" will be common. this just isn't the worst
thing, so it will become an accepted risk.
unmanaged networks (public or private) will remain transparent, which
means inbound ddos is coming right on through. it's nice that a QUIC
endpoint will not participate in amplification, but when other endpoints
"out there" do participate, the traffic toward a victim endpoint will
remain insuperable no matter what that endpoint does with the fraction
of the ddos flow they actually receive.
a partially managed (not fully transparent) network (public or private)
can be expected to implement port-based inbound UDP blocking of the kind
you describe. the set of ports will be dynamic, updated during attacks.
not something to be hardcoded or "set and forget".
