Egress filtering: the cheap defence we keep not implementing
If every operator on the internet did one cheap thing — filter outgoing packets to ensure source addresses are correct — most distributed attack tools would not work. We do not do this. The reasons are interesting and mostly not technical.