[asdf1011]

We have some racks with public facing ILOM interfaces which sit outside the firewall, which turns out have ntpd running. We only noticed when our international bandwidth crawled to a halt due to them being used in an NTP attack.

It's a hassle, as they're old machines and out of support contract (so we can't upgrade the firmware), and so far as I can tell there's no way to turn off public access to ntpd over the admin interfaces. We're stuck with having to go to the hosting company and change the cabling to route them through the firewall.

Just because you didn't set up ntpd doesn't mean you don't have it running (somewhere).