The attribution that's generally more valid is careful combing through the techniques, malware code, etc. and comparing it with samples from previous work. Yes, locations can be easily spoofed. Also, it's pretty easy to pivot through a hacked network within a target area so your attack source says "Indiana" but that's just the poor folks who were hacked before you. For DDoS attacks, it's really irrelevant where they originate from, I think. You can ban prefixes and it does filter out some of the noise. There's an article floating out there about one of the Ukrainian hackers who just rented Google cloud space to run his bots.
It's not so much the DDoS attacks that US and allies need to worry about, it's things like wiper ware (ask Sony about that), tool theft (ask the NSA about that one although that was a leak), data theft and SCADA attacks. Water systems? Utilities? GPS data? There's a lot of worrisome things to think about.