Hi
I have a network with servers which are not correctly configured, and time to time are used for this kind of attack, unfortunately I do not have access to configure them correctly. I have only Mikrotik router which I able to configure , in the middle , between internet and this servers .

Idea:
make FW rule which compare incoming and outgoing traffic per session for UDP port 53 connection , and if outgoing amount of data in 1.5 bigger then incoming , place source address in drop list.

Question :
how to write this rule ?

It's very good idea. Cause just blocking DNS traffic from non-trusted interfaces, sometimes is not an option.