Isn’t the Internet built for spoofing who/what sent something? As I understand it, when you peel the layers and look deeper, there is no stringent authentication or identity verification that really happens, which makes it easy to exploit for DDoS attacks (using IP spoofing, which may help for certain kinds of attacks, or BGP spoofing).
