Summary: To prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will know the value of the transmit timestamp, this prevents an attacker from forging replies.
Configure ntpd to get time from multiple sources.
Configure ntpd with restrict statements to limit who is allowed to issue ntpq and ntpdc queries. Note that ntpdc queries are disabled by default.
Monitor your ntpd instances.
Credit: This weakness was discovered by Matthew Van Gundy <email@example.com> of Cisco ASIG.