This got me wondering that, in practice, how hard would it be to spoof source IP in the internet? I assume it requires some controls on an Tier-1 ISP network (so that the the spoofed package would not be filtered by upstream)?

Though apparently it doesn’t help in this case because it’s HTTP/TCP which requires a handshake