The reason people do this, by the way, is because it's common if you're hosting via CF to whitelist their IPs and block the rest. This allows their SYN flood to bypass that.
I run a fairly popular service and have received DDoS attacks from Cloudflare's IP range (~20gbps). I can confirm they respond to SYN+ACK with an ACK to complete the TCP handshake. Through some investigating it seems like a botnet using Cloudflare WARP (their VPN service).
Why are you assuming amplification attacks aren't a thing?
I think you're probably right about the spoofing but it comes off a little dismissive when the possibility of a site that queries other sites, could be tricked into doing something it shouldn't, is always going to be in the realm of a possibility.
Anyone can set the source IP on their packets to be anything. I can send you TCP SYNs which are apparently from Cloudflare.
There was a proposal (BCP38) which said that networks should not allow outbound packets with source IPs which could not originate from that network, but it didn't really get a lot of traction -- mainly due to BGP multihoming, I think.
BCP38 has gotten some traction, but it's not super effective until all the major tier-1 ISPs enforce it against their customers. But it's hard to pressure tier-1 ISPs; you can't drop connections with them, because they're too useful, anyway if you did, the traffic would just flow through another tier-1 ISPs, because it's not really realistic for tier-1s to prefix filter peerings between themselves. Anyway, the customer that's spoofing could be spoofing sources their ISP legitimagely handles, and there's a lot of those.
Some tier-1s do follow BCP38 though, so one day maybe? Still, there's plenty of abuse to be done without spoofing, so while it would be an improvement, it wouldn't usher in an era of no abuse.
