There is a probably a consumer device that has a GRE listener running, and it is possible to send it a small packet, and it will return back some sort of error response. So classic amplification.
Thought given the moderate amount of traffic, maybe it isn't a hugely effective DDoS method.
Even if a consumer device doesn't use GRE, it doesn't mean it isn't there. GRE is often included in Linux kernels.
Let's say you wanted to create a (nominally) covert channel to site X, you take your message text M and encode it with some forward error correction. Next you find a set of host IP addresses H which have as their last octet the values 0 - 0xff (or perhaps you use every other bit and find hosts where the last two octets are 0b0x0x0x0x 0b0x0x0x0x through 0b1x1x1x1x 0b1x1x1x1x. Now you take the octets you want to send in your message and your botnet bounces a packet of the host where the spoofed source IP is the real destination host. That destination host looks at all these errors that are coming in, collects the last two octets of the addresses, and reconstructs the message M. All while the world sees "oooh DDOS by script kiddies" but really its someone communicating with low detection risk across a deep packet inspecting firewall.
Thought given the moderate amount of traffic, maybe it isn't a hugely effective DDoS method.
Even if a consumer device doesn't use GRE, it doesn't mean it isn't there. GRE is often included in Linux kernels.