If this is their attack vector it could be automatically filtered via the log files if needed and blocked via the firewall. A normal node should not request the same block more than once.
Shorena,
You're correct. The attack vector is not a direct interaction with the bitcoind node. The attacker is only using that interaction to determine wether the node is running Bitcoin Classic.
If the attacker determines the node is Bitcoin Classic, they are adding the IP address a list of all Classic Node IP addresses. The attacker then cycles through all the IP addresses in the list and points a DDoS at each IP for about 15 or 20 minutes. The DDoS is a DNS amplification attack. The throughput of the attack is approximately 500Mbps. If the targets' internet downlink is equal to or less than 500Mbps they are effectively blocked from accessing the internet in any way.
Also, if there is more than one Bitcoin Classic node running on the same network there's a good chance you will get two or more attacks at once, increasing the attack throughput to 1Gbps, or more.
https://www.us-cert.gov/ncas/alerts/TA13-088A