What if a ddos attacker hits public websites (google, amazon etc) with some requests but spoofed the souce ip to the victim’s ip. Now the responses will be sent to the victim’s ip.
Attacker can rotate between the millions of public websites so that the site wont find anything suspicious.
This seems like an easier way than having a malware botnet to do it. The attacker is just using the websites as botnet. Anyone can just do it with the personal computer (or faster and high bandwidth aws/azure VM) and with just 10-20 lines of code.
Why ddos attackers are not doing this instead of buying botnets?