[wang_li]

Trying to cause serious mayhem with spoofed addresses is pointless. Most DDOS comes from bot nets, not from the attacker's personal resources. If you deployed a system that tried to spoof addresses all the needs to happen to eliminate 90% of your attack is for Comcast and co. to implement edge filtering such that traffic inbound from people's computers is dumped if it's not an address that can reasonably come from that origin.

And, since each additional node in the bot net has zero marginal cost, why bother trying to hide the device anyway?

[chmike]

Bots use real address because nothing is done to track them and require the owner or OS provider to fix them. They currently have no incentive to fix the problem.

Collecting the source IP addresses of a DDOS attack is the first thing that could be done. Then progressive pressure should be put to enforce fixing the computers and get rid of the bots. OS with weak security would then feel the pain.

The day this is done, the next step will be to use forged source IP address. What would be the incentive for ISP to pay the price to filter packets ? As long as no one will be able to prove that the packet is forged, they won't do anything.