I dont know the reason behind this, but freaky1's idea of separating amazon from the rest of the network makes the most sense. Amazon does not seem to care, this might be something the attack knew in advance.
I understand that it makes sense, however I doubt that something on such a small scale could have a big impact though.Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so.
Correct. However, almost all of those nodes have disappeared (a day or two before those connections appeared which is a strange coincidence)[1]: 
Btw I dont think there is a big difference between manually banning single IPs for a month and automatically banning single IPs for a day each hour if needed. The only advantage I see in my approach is that have clear log file that indicates when the attack stopped (on my node).
I didn't mean to say that there was and I concur. I'll check up on them in a month.[1] - https://coin.dance/nodes