Amplification requires spoofing CE's IP as your source address — so reflectors (DNS/NTP servers) send their large responses to CE, not you. This is IP source address spoofing. Modern ISPs implement BCP38 (ingress filtering) and RPKI Route Origin Validation. Any packet with a spoofed source IP is dropped at your own ISP's edge router before it reaches the internet. You cannot spoof source IPs on any reputable ISP. The attack never leaves your network.

In 2009, ~28 million open DNS resolvers existed. After the global BCP38 campaign and resolver hardening, fewer than 300,000 remain — and most are honeypots operated by security researchers. The NTP amplification vector (monlist, 206x amplification) was patched in 2013 with ntp-4.2.7. Finding enough high-amplification reflectors to matter requires scanning billions of IPs — which gets your scanner flagged as a botnet operator within seconds.

Even if you somehow generated 100 Gbps of amplified traffic (requiring 1 Gbps of your own bandwidth which you don't have), CE's anycast routing distributes it across 47,239 nodes. 100 Gbps ÷ 47,239 nodes = 2.1 Mbps per node. Each CE node has 10 Gbps uplinks. Your maximum theoretical amplified flood represents 0.02% of CE's total network capacity. The monitoring dashboard wouldn't even register it.

CE's upstream providers operate DDoS scrubbing centers with 100+ Tbps aggregate capacity. Any traffic that somehow bypasses RPKI/BCP38 gets scrubbed before it reaches CE's infrastructure. The scrubbing center distinguishes amplification traffic by its asymmetric response patterns (large UDP packets from port 53/123 with spoofed sources). Mitigation time: <5 seconds from first packet. Your attack budget: exhausted before CE sees a single packet.