[mb0]

In my opinion, the NTP reflection attacks are a result of a larger problem on the internet - large payloads being delivered without any sort of connection handshake. While it is easy to blame open ntp servers, dns resolvers, and snmp servers - these protocols wouldn't be as easy to abuse if the internet hadn't grown to rely on UDP. UDP is a connectionless protocol, so there is no handshake before data is thrown at the vulnerable target. Worse yet, there is no way to 'reset' function in these protocols, so there is no way for the victim to tell the remote host to shut up.

As for the targets of these attacks. They're still happening. It's honestly a pretty stupid attack. The connections from victim:80 to ntpserver:123. The attackers don't seem to understand that port 80 is not a commonly used UDP port. I'm seeing the following targets in my ntp server's logs:

37.187.133.51 (OVH) 216.33.93.214 (edline.com) 23.9.97.251 (akamai) 59.7.146.69 (Korea Telecom) 198.50.139.161 (OVH) 217.236.16.131 (Deutsche Telekom)