These amplification attacks rely on spoofing ... why the fuck in this day and age can we still spoof our IPs with so many ISPs? Routers should have been designed long ago to allow them to do ingress/egress filtering by default (they can do it, but it takes scarce resources). The problem is perverse incentives ... on average DDOS's don't generate losses for the big networks and ISPs so they aren't in a hurry to solve it.