one way to mitigate DDoS is to enforce source IP checks on the way OUT of a datacenter (egress).

sure there are botnets, infected devices, etc that would conform to this but where does the sheer power of a big ddos attack come from? including those who sell it as a service. they have to have some infrastructure in some datacenter right?

make a law that forces every edge router of a datacenter to check for source IP and you would eliminate a very big portion of DDoS as we know it.

until then, the only real and effective method of mitigating a DDoS attack is with even more bandwidth. you are basically a black hole to the attack, which cloudflare basically is.

The biggest attacks literally come from botnets. There’s not a lot coming from infrastructure services precisely because these services are incentivized to shut that shit down. At most it would be used as the control plane which is how people attempt to shut down the botnets.