-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We ran into similar attacks (couple days back) coming from non-spoofed
address range (being initiated from valid prefixes).
In working (w/ a co-worker of mine) on a network attack situation (trace
process) for a 30,000 user location (serving 60 other school districts)
running BCP38 & rate-limit which got ddos'd w/ about 8mpps.
It appears that these attacks were coming from the inside which not only
saturated devices along its way but also got amplified into several
other networks also causing significant flaps to its peered connection
(OC-xx).
Besides being distracted with this incredible among of traffic flow our
goal number one goal was to prevent this bleeding, thanks to the
distributed monitoring sensors (maybe we got lucky) we were able to
identify and sink-hole (null route) certain blocks (vlans) while we
worked with the network/desktop team to isolate the infected machines.
This was certainly a hair-pulling experience.
The point that I'm trying to make here is, you can have data coming from
a herd of comprised hosts (bots, self-propagating worms,
spam-relays,fake http get request, backdoors, etc) that can attack
against a well-protected system(s) so any kind of defense mechanism
can/will get defeated.
Then again, it doesn't mean one wouldn't want to follow well practiced
prevention methods.
Just curious, any ddos vendors want to share their success stories 
regards,
/virendra
- -------- Original Message --------