Abstract: Based on characteristics of NTP reflection amplification attack, proposes a method of regularly launching active detection to hosts of public NTP services in Chinese mainland (execution of monlist instruction) and doing a long-term follow-up observation and statistical analysis of global NTP reflection DRDoS attacks based on the return information. The track began in February 2014, the initial detection range covered 14 000 NTP servers in China mainland, and detection period is 164 days with two hours for each cycle, observed suspected DDOS attacks against hundreds of thousands of IP addresses.