Saw this on #bitcoin-dev IRC chat today:
07:59 phantomcircuit jgarzik, i actually have code to ddos the entire network
07:59 phantomcircuit it works
07:59 phantomcircuit but i run out of local port numbers before i get past about 100 peers
If I found a DoS vulnerability I wouldn't brag about it in public-- I'd tell the developers privately.
And isn't testing a DoS on a production network immoral/illegal ?