"I would suspect they were likely related due to the similar timing and scale," Prince said. "However, I don't have direct evidence of that."
OVH did not immediately respond to a request for comment.
NTP is just one of several protocols that and can be abused to amplify DDoS attacks. Two others are DNS (Domain Name System) and SNMP (Simple Network Management Protocol).
What these protocols have in common is that they allow a relatively small query to generate a large response and are vulnerable to source IP spoofing if certain precautions are not taken because they work over UDP (User Datagram Protocol).
Instead of hitting a target's IP address directly with traffic generated by a botnet with a combined bandwidth of, say, 10Gbps, attackers could use the botnet to send spoofed queries to a list of open DNS or NTP servers. Those queries could be crafted to appear as if they came from the victim's IP address and could trigger large responses from those servers to that address.
In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.
DNS reflection was commonly used in DDoS attacks last year, including in the attack against Spamhaus, prompting calls from Internet infrastructure groups and security researchers to organizations to identify and secure their DNS servers against this type of abuse.
SNMP reflection attacks are relatively rare, because the protocol is usually used with authentication and there are few open SNMP servers on the Internet, CloudFlare said in its January blog post.
However, NTP servers that are vulnerable to reflection attacks are apparently not that rare and attackers have caught on to this. NTP servers are used by computers and other devices to synchronize their clocks so many of them are publicly accessible.