If you've got a 10gbps server that's attracting 100gbps of UDP reflection DDoS traffic, and your host has ingress capacity for that, their easy/simple/low cost options to help are most likely null-routing your ip, which doesn't really feel like helping, or dropping udp to your ip.

If you're running a UDP service, you're going to need something more complex. maybe the host can drop all udp but port 80, but maybe the DDoSers can generate the reflection traffic to port 80 instead of random ports. If you're getting too much volumetric DDoS on your service port, you'll need to have some sort of filtering that understands your service traffic better and has enough ingress capacity. Usually that's expensive, not super flexible, and often adds a lot of latency.

> I question the premise of such an approach.

Feel free to question the direction the sun raises from.

> Denial-of-service is caused by applications that consume disproportionate resources based on untrusted user input. That’s entirely orthogonal to whether the application accepts input over UDP or TCP.

It's not, UDP-based protocols are generally mis-directionable and amplifying, which allows for much easier DOS-ing.

> I would raise hell with my ISP/cloud vendor/network operator if they thought that it was appropriate to cut corners and block me from using UDP.

They're doing the exact opposite of cutting corners. But hey good luck using video calls when the routers are melting, I'm sure that's going to be great.

> That’s more likely to DoS me if it means my games or video calls (or any of a million things that legitimately use UDP) stop working or become significantly degraded.

Only if you operate under the misguided assumption that hole-punching is not a thing.

Hell, any NAT requires specific handling of inbound connections to perform proper translation, and "drop" is a perfectly good default translation for an unrequested inbound.