The code exploits the connectionless nature of IP. The receiver automatically trusts the src field without verifying if the sender actually owns that IP address. Without proper ingress filtering on routers, the network accepts the lie.