That is very easy to mitigate, because you null route the production subnet except for a VPN that only can be reached by the proxy. You can even VPN over a completely different IPv6 route.
They could still try to knock your entire datacenter offline but that is much harder.
That's not much harder, that's exactly what happened to them in the initial attack.
You're still depending on either a "secret" IPv6 network, or your upstream provider performing some source-based routing to only route packets from the VPN connection. I doubt that's available to a simple colo customer.
They could still try to knock your entire datacenter offline but that is much harder.