I have wondered about this; does anyone who knows more about networks than me know why source-address spoofing is still alive and well when it was a known issue at least as far back as the late '90s (when I first learned about smurf attacks).

In particular since most DDoS attacks originate from botnets, simply egress filtering at the ISP level should be sufficient.

Laziness on the part of the network operators.

Seriously, they're just too lazy to auto-generate firewall rules from their list of assigned addresses.

I would argue Hanlon's razor applies here.

I think vendors also have some responsibility. The defaults are bad and the vendors make their devices hard to manage on purpose (for lock-in reasons). I'm looking at Cisco in particular.

Nope: someone will come up and say "network neutrality" and believe he would be right in this case.

Strongly disagree. Strict urpf is pretty much impossible to implement. The only plausible place to implement it is directly at the edge where a sinlge AS owns both sides of the link. Think DSLAM or other consumer agg device. Any connection to a multihomed peer, or peer with a different AS, cant have strict urpf enabled.

Once you get away from the network edge the only possible urpf is loose mode. But thats a restricted implementation as plenty of stubs out there use default routes. Then asymmetric routes are so common as to rule the use of feasible urpf completely.

So in summary, it has to be the edge networks who enforce this. And the prime intermediate offenders actually have a monetary incentive to not prevent this traffic.

What kind of connection do you need to the Internet to spoof the source address these days? I.e., who isn't egress filtering?

I was wondering the same thing. I live in a third world country and I've never seen a connection with no egress filtering.