The root cause of high scale directed amplification attacks is the failure to assure the integrity of the source IP address. This failure leads to a large set of directed amplification attack vectors. BCP38 was written in 2000, coming up on its 13th anniversary. This root cause, and various methodologies & technologies to resolve it, have been an ongoing discussion since back to the 90s. The failure to enforce this BCP or the related technological mechanisms to force implementation is the root cause of why the Internet cannot always trust source addresses and why these attack vectors persist. Until the ISP community gets serious about forcing the integrity of source addresses throughout its topology, various flavours of attack whose root cause is the spoofed source addresses will continue. Yes, it is not easy to do because it is a transitive trust issue, linked to topology and address management policy. Yes it would be easier if there was a magic bullet to validate source addresses built into the architecture. But there is not, the architecture is what it is. If every step of the chain enforced the integrity of source addresses, this risk would be resolved. There are multiple different steps that could be taken, including law enforcement, statute, contractual, policy, process and technological mechanisms. Every ISP and content providers' business model is threatened by this vulnerability. Every attack drives up operational expenses for everyone. Opportunity costs of missed sales and impacted business are everywhere. It is a pure tragedy of the commons - for lack of enforcement, the whole system is threatened in scale. This problem cannot be allowed to rest at the edges simply by pointing at the current amplification vector. Yesterday it was something different. Tomorrow it will different again. The constant is the rising scale of the Internet and resulting increase in scale of the attack and its corresponding economic impact. The root cause is not today's Google issue. The ISP community has the power to enforce this through policy and technological means. Whether it has the will and ability to self-organize and enforce is a different issue (and also, a long standing one). The discussion needs to be not just about the edge issue of the day. It needs to be about what forum, and what means can be used to enforce this integrity. Post-9/11 the ISP community has significantly more hammers in its arsenal now that it did in May 2000. Perhaps NANOG is not the right forum to discuss, but if not, what is? This is truly an operational threat to the whole community. Leadership needs to come from the largest providers, not just from the smallest. Today the threat is rogue data centres hosting spammers trying to game the system, tolerated by their up stream providers. Does this really need to be a hostile state or quasi-state actor deliberately threatening the infrastructure before serious coordinated action is taken? We really do know better. Eric Carroll