I noticed requests for port 37/udp in our firewall to our ntp server. That
is the 'daytime' protocol which is absolutely ancient in an Internet timescale.
I opened the port and started the service as an experiment and started
tcpdump on it. The results are interesting:
09:50:09.749723 IP xx.xx.178.51.37 > 126.96.36.199.123: NTPv4 client, strat 2, poll 7, prec -20
09:50:09.749782 IP 188.8.131.52.123 > xx.xx.178.51.37: NTPv4 server, strat 2, poll 7, prec -19
09:52:19.808243 IP xx.xx.178.51.37 > 184.108.40.206.123: NTPv4 client, strat 3, poll 7, prec -20
09:52:19.808301 IP 220.127.116.11.123 > xx.xx.178.51.37: NTPv4 server, strat 2, poll 7, prec -19
09:53:08.511939 IP xx.xxx.183.183.34505 > 18.104.22.168.37: UDP, length: 0
09:53:08.513364 IP 22.214.171.124.37 > xx.xxx.183.183.34505: UDP, length: 4
Most traffic seen by 'tcpdump port 37' is from source port 37
Which is an artifact of certain NAT devices translating privileged
ports (< 1024) to other privileged ports. Certain versions ntpd seem to
ignore these requests. But there are real clients using the 'daytime' protocol.