[feross]

This is nothing new. It's trivial to make website visitors DoS a target IP address using XHR requests, WebRTC, <img> tags, etc.

WebUDP wouldn't necessarily make the situation any worse.

[rnhmjoj]

Like the attack on GitHub a few years ago: https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted...

[Ironlink]

Seems to me that one key difference would be that giving javascript access to UDP sockets easily enables a single browser to send huge amounts of traffic since there's no ACK to wait for. With anything based on TCP, the attacker at least has to put some effort in to achieve that.

[IshKebab]

You could easily design it so that you can only send UDP packets to hosts you already have a TCP connection with.