My recollection was that the volume coming from this one site was tiny, not like a DDoS. I don't recall if he said as much or if I was reading between the lines, but it sounded like he had just set up some sort of IDS, and it reported this traffic as an attack, and he just took that at face value.
We did have some UDP multiplication attacks at other times, mostly on our authoritative DNS servers. I don't recall that we ever had any against our NTP servers that I noticed. But we did block the broadcast address so the best multiplication vector was via DNS requests, IIRC the NTP responses were fairly short.
We did have some UDP multiplication attacks at other times, mostly on our authoritative DNS servers. I don't recall that we ever had any against our NTP servers that I noticed. But we did block the broadcast address so the best multiplication vector was via DNS requests, IIRC the NTP responses were fairly short.