If this was a botnot, any one ISP is only seeing a tiny fraction of the load.
Even if it were from a single source, it also isn't that hard to find an ISP that doesn't care. (They cost slightly more, but if you're a bad actor, presumably it is worth it.)
Edit:
"I think pretty much any ISP wouldn't let such packets through"
If you google "BCP38", you will find well over a decade of network operators discussing specifically this topic and the reasons why ISPs (and other networks) don't, not to mention all the fun the kvetching and meta-kvetching that accompanies any technical discussion that's lasted so long.
Even if it were from a single source, it also isn't that hard to find an ISP that doesn't care. (They cost slightly more, but if you're a bad actor, presumably it is worth it.)
Edit:
"I think pretty much any ISP wouldn't let such packets through"
If you google "BCP38", you will find well over a decade of network operators discussing specifically this topic and the reasons why ISPs (and other networks) don't, not to mention all the fun the kvetching and meta-kvetching that accompanies any technical discussion that's lasted so long.