According to Mikrotik the recent botnet of hacked routers are only used for proxying traffic, not generating it. If this is true then they're only useful for hiding source addresses, an attacker actually loses power if using them for a volumetric attack.
If that were true, it would be trivial to trace back the traffic to the origin of the attack since you would see 40Gbps incoming at the target, one set of intermediaries, and 40Gbps to a single source (which is also unlikely given 40Gbps uplinks are quite a big monthly expense). They might be using the Tor network (or creating a makeshift proxy network), but it would seemingly be a waste of bandwidth on the target routers. The regular C&C approach seems more practical since it can make use of available bandwidth and leaves less of a trail.
It's quite unlikely there's a single link sending the traffic; that would be super easy to block. Most likely this is used to either hide the command server or the actually compromised servers. While symmetrical load can be quite obvious, it's less so if we're talking about 2000 links sending at 20 mb/s each. Especially when those links also have legitimate traffic.
