[lima]

Yes, absolutely - there are plenty of scenarios like, ironically, DDoS mitigation where you use source IP spoofing/asymmetric routing.

It's still possible to restrict it, but simple RPF checks don't always cut it.

[unethical_ban]

Let's rephrase the question - Is there any reason consumer ISP's don't follow BCP38?

There is almost no reason whatsoever for clients to spoof their public IP address. Obviously, there are reasons to SNAT at the carrier level for load balance or routing purposes.

[lima]

No good reason except "it costs money".

[unethical_ban]

No good reason except it's for the health of the Internet.

And it doesn't cost any significant amount of money except initial configuration and automation. The "CPU power" to add an ACL on interfaces is negligible.

[dec0dedab0de]

How could source IP spoofing help with DDoS mitigation?

[hueving]

This particular case relied on botnets being able to spoof their their source IP to match github's so the memcached responses would go to github.

Google 'DRDoS attacks' to learn more. They are responsible for most of the largest volume attacks IIUC.

[dec0dedab0de]

I understand the attack, I dont understand how it could be mitigated using the same technique.

[lima]

There are many scenarios where you send of traffic to another datacenter using a GRE tunnel or EVPN.