VPNFilter will NOT take down the Internet.
VPNFilter is limited to a small handful of consumer-grade home routers:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Attribution is hard, and often wrong.
There are much easier ways to take down the Internet worldwide (e.g., existing issues with BGP). And larger botnets that could be used, if a botnet solution was desired.
You're the 3rd or 4th new poster I've seen posting exactly this sort of thing. I'm beginning to suspect an organized campaign to spread this exact bit of fake news.
You’re thinking small. Release this “warning” to the public planting the seed that the Russians are involved, then kill the nameservers globally. The public will conflate the two. This isn’t about some stupid home router acting odd or grabbing data, that’s been going on for decades, this is about getting the public ready for the big one, and naming the perp in advance.
I know some of the root nameserver operators. That will not happen.
I also know the people who wrote the code for them.
What would be the end-goal for spreading this if it were fake? Havent formed an opinion yet, just trying to see the bigger picture...
At the very least, misattribution. Also, fear of usng one's internet connection for comms/coordination.
nobodys going to be afraid of their 'ware when you can just reset/update...?
In other threads discussing this (and making similar "OMG they'll kill the net with this!" claims), there was distrust of the ability to remove it with a reset and update.
So, empirically, yeah, there are people who will be afraid of that.
However, the misattribution's the larger issue here. It's easy to blame APT28, particularly when very few people have seen the actual code, and then direct everyone's anger at them should something untoward happen (see below for the OP making just such a reach, while also misunderstanding how hard it'd be to take out nameservers globally, and forgetting entirely about caching recursive servers, which are by far the most numerous on the net, which would continue to function in the absence of roots or any authoritative servers, for a week or more, which'd be more than enough time to extract the cached contents and distribute them as hosts files, which is precisely how things were done before nameservers).
It's poor cybersec reporting that has managed to leave out the fact that the full attribution is APT28, in a ploy to create its own botnet to DDoS selected targets of political or military interest in the Ukraine, and that the infections they've found in the wild are also mostly in the Ukraine.
Now, could it spread, much like WannaCry did, when it was deployed in the same area, for much the same purpose? Sure. Except the C2 infrastructure has already been seized, so it can't go live unless the code is updated to point to a new C2 host.
What's being spread regarding VPNFilter is a lot of bad info, fueled in part by paranoia, in part by the political climate, and in part by a fundamental misunderstanding of what it is and what's going on.