This is only if you have _no_ idea how to use very basic open-source tools to wreak havoc via some open proxies. The real cost of launching small-scale attacks like this is $5/month on your favorite VPS provider.
Open proxies? I heard about this more than a decade ago, but why would anybody in 2022 run an open proxy? Or are these open proxies unintentional, i.e. misconfigured?
Many of them are unintentional: a device sitting on the open internet has some vulnerability and gets exploited. Bad guy sets up a proxy on the device and uses it to click a bunch of ads using bots, or crawl Google results, or launch attacks, etc. Or, as mentioned below, they could simply be the result of misconfiguration.
Unfortunately, this type of abuse is essentially only acted on if you either (a) cause some kind of problem for ops at the VPS company, or (b) the victim tells on you. Even then, the absolute worst thing that will happen to you is your account will be closed. There is just no way on the modern internet to investigate/prosecute these kinds of things. That's why one of our primary goals with the free Cloudflare plan is to invert the problem: make DDoS go away by making it it free to mitigate.