I’ve checked a bunch of the IPs involved in the attack, and the majority of them seem to be simple consumer ISP connections, no proxies, no anonymizers.

I did find one that seemed to be hosted at Bank of America, and one that traced to the FAA.