attack prevention – Do modern routers drop malformed IP packets

A packet with a forged source address isn’t malformed; it’s well formed syntactically. So no router would drop it as “malformed”.

If the forged source address violates ingress or egress filtering rules – for example, if you send a packet with a 192.168.x.y source address to the outside interface of a NAT device which uses 192.168.x on the inside – then the router will drop it.

If the forged source address is just some random device on the Internet, then the router will process it normally. If “process it normally” means sending some data larger than the request packet back out to the forged source, then that’s what’s called an amplification attack.