[swiftcoder]

In other words, this entire botnet can perform the work of... a few dozen decent size AWS instances?

We used to push ~million request per second from each m4.10xl instance when running load tests.

[yabones]

What makes it dangerous is that those requests aren't coming from a single source - it's a distributed denial of service attack. Anybody can push huge throughput from an XL cloud server with good networking, but it's just as easy to block that IP. Blackholing thousands of nodes is much more difficult.

[menmob]

Legitimate IPs, at that. These are networks that are not hostile 99% of the time.

[junon]

Yes and to mitigate your puny attack I need to block a few dozen IPs.

A botnet is probably coming from hundreds, if not thousands of IPs, sprinkled in with normal user requests and often with similar frequency.