Comment by toast0

The Microsoft blog suggests there was miminal source spoofing (although I don't know how they determine that). But if you can't trust the IP source, packet samples from your border router should indicate which upstream is sending those packets ... then you ask them to find the source... eventually you'll get somewhere ... but when the sources are distributed, it's not so helpful to find the source, unless there's a mechanism to stop the source from sending it.

When I was running servers that would routinely attract DDoSed at ~ 10 Gbps, I ended up always running a low sample rate packet capture. Anytime I noticed a DDoS, I could go and look at the packets. If you've got connectivity to sink and measure 15 Tbps of DDoS, you can probably influence your providers to take some sampled packet captures and look at them too.

Even without clear information from packet captures, 15 Tbps is going to make an impact on traffic graphs, and you can figure out sources from those, although it might be a bit tricky because the attack duration was reported at only 40 seconds, so if someone only has hourly stats, it might be too small to be noticed; but once a minute stats are pretty common.