https://www.internetsociety.org/sites/default/files/01_5.pdf
The attack is triggered by a few spoofs somewhere in the world. It is not feasible to stop this.
That paper is about reflection attacks. From what I've read, this was not a reflection attack. The IoT devices are infected with botware which sends attack traffic directly. Address spoofing is not particularly useful for controlling botnets. For example, the Conficker botnet generated pseudo-random domain names where the bots looked for control traffic.
Please see https://www.ietf.org/rfc/rfc6561.txt
Uh, yes, we're familiar with that. We even know the people who wrote it. It could use an update for IoT since I get the impression that in many cases the only way for a nontechnical user to fix the infection is to throw the device away. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly