Attackers used one server in a massive DDoS attack against an organization in Europe, generating 400 Gbps of bad traffic at its peak via NTP amplification. CloudFlare CEO Matthew Prince: It is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. NTP is a protocol used to synchronize time on computer clocks; experts call it a set-and-forget feature on networks but attackers have been able to ferret out a weakness in a feature called MONLIST, which returns IP address of the last 600 machines interacting with an NTP server.
Source: https://threatpost.com/400-gbps-ntp-amplification-attack-alarmingly-simple/104256/