Here is something I came across recently that I have’t seen before:
This is from an Internet facing host. The interesting bit here is the disclosure of internal IP addresses in the “refid” field. Just another thing to watch out for during pentests and when configuring your NTP services.
As a side note, carnal0wnage has some great posts on getting information out of NTP services.