1. Victim blaming is when you excuse someone's bad behaviour with the justification that the person(s) negatively affected by it could have protected/tried to protect themselves against it. That doesn't have anything to do with the question whether you should try to protect yourself, or whether you might have some obligation to try and protect others.
2. Based on your logic, what you are doing would be victim blaming: Incompetent ISPs don't perform DDoS attacks, and yet you seem to see some sort of obligation on their part to implement BCP 38 to protect others from that bad behavior of others. The ISP is just as much a victim in a position where they can help and protect others as people running UDP services.
Services used in amplification attacks are victims because their services are being DoS'ed as well and their IPs are the ones that end up on flowspec block lists.
They are also victims from the second order effects of idiots in prominent places claiming that their services are the source of the Internet's woes (e.g. Cloudflare's ridiculing of dns resolver operators).
Your entire second point is nonsensical because they aren't impacted by DoS attacks. They aren't 'victims' in any sense.
Also, people running UDP services cannot stop source spoofed DDoS attacks. You can block the entire UDP protocol today and the problem of untraceable attacks will be just as prevalent tomorrow. The largest attack observed (>1tbps didn't use amplifying UDP services at all).
BCP 38 would end this problem, full stop. ISPs complicit in what amounts to fraud deserve no sympathy. On most routers, ingress filtering is a one line option. Yet people like you promote breaking changes to UDP protocols as a half-baked solution that doesn't do anything to actually stop source spoofed DDoS attacks. It baffles me.
I agree that vilifying UDP doesn't really help anyone, but that's kindof besides the point.
Victim blaming is wrong because you divorce someone's intentional decision to cause harm from their responsibility for the resulting harm. To take the classical example: It's not inherently wrong to tell people that they should avoid situations that empirically have an increased risk of being raped. It's only wrong if you then claim that the perpetrator is not responsible for what they did because the victim didn't heed that advice.
Now, whether ISPs are victims isn't really that clear. First of all, the DDoS packets consume bandwidth, which can cause increased expenses without corresponding increased income. Secondly, at least the very moment you expect them to implement BCP 38, they absolutely are. Implementing BCP 38 is additional work that's only required in order to handle the bad behavior of other people that the ISP is not responsible for, aka harm due to someone else's malicious actions.
But also, the comment that you responded to above was about DNS cache poisoning, not about DDoS. By randomizing DNS transaction IDs, you absolutely can make DNS cache poisoning harder, and I think the responsible thing to do is to protect against that attack vector. ISPs should be doing more to prevent spoofing, but that doesn't mean that it's responsible to leave your users open to spoofing-based attacks that you should be able to relatively easily prevent.
Implementing BCP 38 is additional work that's only required [..]
That's like saying that the fact that I need to lock my door makes me a 'victim' of the existence of thieves, because otherwise I wouldn't need locks. That's not how the word 'victim' is used, either in general or in this particular context. Insisting on some extremely literal interpretation on the word 'victim' is entirely unhelpful here.
It's victim blaming in the sense that an ISP which should have taken the correct steps to number their endpoints (BCP 38) is not being harassed by companies like cloudflare for DDoSes while DNS server operators are.
"Yeah, this guy stole your car by asking nicely for an extra set of keys from the manufacturer. Even though the manufacturer shouldn't have allowed him to do get a key, we're holding you responsible since you technically could have kept your car in a locked garage."
Also, the gp was taking about cache poisoning, but it was only exploitable in the presence of spoofed IPs.
No, it's telling a child that has been hit by a car repeatedly to look both ways next time, when you know it would definitely reduce their chance of getting hit.
Performing edge ingress traffic filtering of known-trunked node addresses (i.e. BCP 38) has a high likelihood of reducing the effectiveness of DDoS attacks.
1. Victim blaming is when you excuse someone's bad behaviour with the justification that the person(s) negatively affected by it could have protected/tried to protect themselves against it. That doesn't have anything to do with the question whether you should try to protect yourself, or whether you might have some obligation to try and protect others.
2. Based on your logic, what you are doing would be victim blaming: Incompetent ISPs don't perform DDoS attacks, and yet you seem to see some sort of obligation on their part to implement BCP 38 to protect others from that bad behavior of others. The ISP is just as much a victim in a position where they can help and protect others as people running UDP services.