Maybe Videolan isn't the target and the DDoS is against someone else in the form of using Videolan's bandwidth against someone else?

That's my general assumption of any attack in which the response to a request is in the many MB range and the request is in the bytes range.

That someone with limited bandwidth and many connections is attempting to acquire a large amount of bandwidth to attack someone else.

Good thought, but source spoofing for an amplification attack wouldn't work here; from https://news.ycombinator.com/item?id=5613529 :

> The actual number of requests was not that high (400 req/s), but the botnet was downloading the whole vlc.exe, aka 22MB. So, we were at around 70Gbps during the night, in average.

Source spoofing would not allow downloading the whole file; the spoofed source address would get the first response packet and send an RST ("stop, no connection associated with this packet, go away") long before that point.

HTTP is over tcp though so it should be Hard to convince vlc's servers to reply to a third party. Seems like a silly ddos actually but what do I know.

The same kind of person who would steal books from a library, or talk in a movie theater.