A lot of the old DDoS attacks rely on the ability to spoof your IP address. Many networks are now configured to drop packets exiting their network that don’t have an address from their network.
For example, in a Smurf attack the attacker finds broadcast IP addresses by sending an ICMP request to an address and counts the number of ICMP replies that come back. A broadcast IP address is one that sends a packet to every host on a network (often with 255 as the last octet like 207.103.0.255 for a Class C network of 207.103.0.0/24).
After finding suitably large networks with an open broadcast IP address they then send the broadcast IP address packets with a spoof IP address of the victim. The attack is then multiplied by however many hosts are on the broadcast IP address network.
DNS reflection is another type of DDoS attack that also relies on the ability to spoof an IP address of the victim.
Once you get to a certain scale, you don’t really worry about those vectors anymore.
The more interesting/difficult to mitigate attacks are those that complete handshakes (if TCP) and make fully formed requests at L7 that otherwise appear legitimate.
For example, in a Smurf attack the attacker finds broadcast IP addresses by sending an ICMP request to an address and counts the number of ICMP replies that come back. A broadcast IP address is one that sends a packet to every host on a network (often with 255 as the last octet like 207.103.0.255 for a Class C network of 207.103.0.0/24).
After finding suitably large networks with an open broadcast IP address they then send the broadcast IP address packets with a spoof IP address of the victim. The attack is then multiplied by however many hosts are on the broadcast IP address network.
DNS reflection is another type of DDoS attack that also relies on the ability to spoof an IP address of the victim.