[Forbo]

NTP uses UDP, so he was probably the victim of a spoofed NTP request amplification attack. He probably didn't have clients that we're actually requesting the time, the requests were just spoofed to look like they came from his IP.

[linsomniac]

My recollection was that the volume coming from this one site was tiny, not like a DDoS. I don't recall if he said as much or if I was reading between the lines, but it sounded like he had just set up some sort of IDS, and it reported this traffic as an attack, and he just took that at face value.

We did have some UDP multiplication attacks at other times, mostly on our authoritative DNS servers. I don't recall that we ever had any against our NTP servers that I noticed. But we did block the broadcast address so the best multiplication vector was via DNS requests, IIRC the NTP responses were fairly short.

[ktta]

I'm leaning towards incompetence - Hanlon's razor and all that.