QUIC datagrams should be as spoofable as anything else using UDP.
The _QUIC Crypto_ design doc contains a section that covers spoofing [1], and seems to push responsibility for DDoS mitigation to the server implementation:
"[...] servers may decide to relax source address restrictions dynamically. One can imagine a server that tracks the number of requests coming from different IP addresses and only demands source-address tokens when the count of “unrequited” connections exceeds a limit globally, or for a certain IP range. This may well be effective but it’s unclear whether this is globally stable. If a large number of QUIC servers implemented this strategy then a substantial mirror DDoS attack may be split across them such that the attack threshold wasn’t reached by any one server."
The _QUIC Crypto_ design doc contains a section that covers spoofing [1], and seems to push responsibility for DDoS mitigation to the server implementation:
"[...] servers may decide to relax source address restrictions dynamically. One can imagine a server that tracks the number of requests coming from different IP addresses and only demands source-address tokens when the count of “unrequited” connections exceeds a limit globally, or for a certain IP range. This may well be effective but it’s unclear whether this is globally stable. If a large number of QUIC servers implemented this strategy then a substantial mirror DDoS attack may be split across them such that the attack threshold wasn’t reached by any one server."
[1] https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblH...