i was part of a DDOS last week
I have a 1U server at a colo and my ISP contacted me last week saying they got reports that I was part of a NTP DDOS and that I need to fix my shit..
Which had me confused because the IP they claim that participated in the attack was the IPMI interface of my server.. (since I'm fairly limited in what I can put at the DC it's hard to put the IPMI device behind a firewall)
Upon further investigation it seems that the NTP client on the IPMI interface was less of a client and more of a client with a server attached.
After I disabled the NTP client the vulnerability was closed. I'm not expecting the vendor (Supermicro) to ever release a fix(server is a few years old) fortunately not having NTP on IPMI is not a big deal. The IPMI interface has a built in poor man's firewall though not sure if it would impact inbound NTP requests and I'm too worried to enable it in the event I need to connect to it from a network it is not configured to recognize.
The support team at my ISP gave me a handy command to verify whether or not you could be impacted(not sure if this means you are vulnerable or if it means there is just a possibility)
ntpdc -n -c monlist <IP>
And sure enough with the NTP *client* enabled on the IPMI interface (well web-based IPMI) the system responded, like a server would respond (I guess, haven't spent any time researching this)
Anyway found it strange/stupid that something that claimed to be a client only would be vulnerable enough to participate in an attack.
At my company we were indirect victims of a NTP based DDOS on 1/2/14 when our upstream ISP got hit by a 100Gbps attack for another customer (am assuming it was a gaming company). They handled it pretty well, not a big impact to us(spotty VPN connections, occasional site connectivity errors) but our bandwidth usage is pretty small.