As far as (2) goes, they actually need to be too big too fail. Otherwise, it's plainly impossible for internet infrastructure companies to be able to financially weather ddos attacks like this. These sorts of attacks are very expensive to mitigate, and part of the way we can do that is to centralize under services like AWS and collectively pay for ddos protection (short of the government doing so and separating our network from those of major malicious foreign actors').