Most DDoS attacks send the majority of their traffic from unsuspecting and unwilling hosts. Hopefully, as these patterns become more and more well known the weaknesses that allow that to happen will be increasingly less common.
Don't they do that because the servers tend to have a higher bandwidth connection, and NTP amplification attacks let you make use of that even if your own is slower?
