Masscan notes
NTP
For NTP, masscan
(1.3.1) sends by default "monlist" packets. We only get responses from IPs that have this feature enabled (which is great for NTP amplification DDoS attacks). Since we get no response we miss open NTPs that don't have this feature.
$ masscan -pU:123 <ip>