Put another way, anti-spoofing does three things: it makes reflector attacks harder, it makes it easier to use ACLs to block sources, and it helps people track down the bot and notify the admin. Are people actually successfully doing either of the latter two? I think it's a time constraint- looking up, sorting and notifying admins about 10,000 attack sources isn't practical. I'd love to do it- but I don't have time. That said- if someone notifies me of a compromised host I immediately investigate- and I suspect so would everyone else on this
list. Has anyone put together a centralized system where you can send in a list of attacking bots, let it automatically sort by allocation, and then let it notify the appropriate admin with a list of [potentially] compromised hosts? Then again: Considering how many admins don't care, how many end users don't care/know, and how quickly many of thee systems would get re-infected maybe it's all a bit pointless.
I'd be surprised if there were much of either. That leaves reflector attacks. Are those that large a portion of the attacks people are seeing? Everything I have seen of late has been legitimate traffic originating from across the globe. With tens of thousands of compromised hosts that's all it takes.
-Don