[Heads up, Yes, I know ARP does not cross subnets on a properly configured network. You dont have to tell me that.]
[snip]
Wouldn't it cause considerably more damage to logically coordinate your zombies to do a distributed ARP poisoning attack, and route high-bandwith traffic through the target network block(s) instead?
LOL. ARP traffic does not cross subnets. It has nothing to do with being properly configured. It's a layer two protocol. Routers do not forward layer 2. Correctly configured or not, it doesn't happen.
What you're describing (ARP poisoning) would require you to have zombies on the SAME layer 2 broadcast domain as a VERY poorly configured backbone switch. I'd wager that's not going to happen. These networks are very tightly controlled.
I instruct the zombie drones along those routes to start spamming out ARP packets. These ARP packets confuse the shit out of the rest of the subnet's automatically generated routing tables, which then causes at least some portion of the normal traffic that these subnets are transporting to get re-routed along the path I specify.
ARP doesn't impact routing tables in a carrier network (nor, really, in any network). It's possible to redirect the traffic of one host to a different location on the same layer 2 network through ARP poisoning, but carrier backbone networks virtually all use port security to prevent malicious arp. Even if they don't, the backbone networks do not have a substantial broadcast domain. Two routers connected to each other via an inter-city FDDI or somesuch. You don't just "find zombies" on that broadcast domain. The only two nodes are the two ends of the fiber in secure data centers. Even if you could impact the layer 2 delivery of packets in a carrier network, you would ALSO have to redirect it to a multi-homed network device, since a router is simply going to pass it right back to the proper interface referenced in the routing table.
EG-- Think of what would happen if you used ComCast's various local networks (the neighborhood branch networks that the cable modems are attached to),
Nothing would happen. A cable modem is supposed to be a layer 3 device and regardless, its layer 2 network ID is manually programmed into the distribution switch during activation. But even if you could attack the endpoints and redirect a few homes worth of packets to a different upstream IP... uhm. where the hell is the traffic going to go? You would have to rewrite the routing table on the router, which has NOTHING to do with ARP.
Now, there are flaws in OSPF and BGP routing protocols which MIGHT enabled someone to rewrite the tables (various vendors are working on standards upgrades right now to address these). But you have to have direct access to a backbone-level peering arrangement to make this happen. See: China's "accidental" routing of massive bits of traffic for a few hours this summer.
This would DDoS the entire [snip... blah blah blah...] AND your nodes wouldn't be generating fingerprints all over some remote server's access logs.... [snip blah blah]
Simply spoofing the return address in the IP header is often adequate in a DDoS. Most carrier networks don't enforce egress IP filtering (despite it being best practice) due to complex routing issues, especially from server-class and business clients. Simple, and a plus is that you can use the spoofed addresses to generate false traffic at another location consisting of responses from the first target. Additionally, in some networks it can be useful to use the device's own IP as a return address. Especially with protocols like "echo" (which shouldn't be on the Internet, let alone turned on but still is sometimes), which can generate a DoS without the other D, very quickly.