There are currently many DDoS on NTP AMP. Some of our customers have server equipped with badly protected NTP servers, which can be exploited by a spoofed DDoS attack. The server can then become as one of the IP that took part in a DDoS attack. We detect this kind of attack in a few seconds but there could be huge consequences for the victim of this attack.
As a result, we've just enabled VAC on all NTP flows (port 123) regardless of DDoS detection or not. This will allow us to analyse the NTP packet and filter all requests that are often used during the attacks. Meanwhile the standard requests will work. We have developed this active filter on Tilera: http://status.ovh.net/?do=details&id=6209