Comcast called me. Said I was running UDP portmapper on my external IP. Oops.
This was leftover from an experiment running NFSv4 across the net. [it sucked, used sshfs instead]
Also for those who've never experienced a reflection attack it's NASTY. Attacker sends forged source-address UDP packets so all responses go to the victim host. In the past NTP and DNS provided the vectors. Back in 2006 it was PharmaMaster and Blue Security: