Shodan - a search tool for such things - had a pretty incredible approach to attacking this - they quietly provided most of the ipv6 hosts to pool.ntp.org, which is widely used as a linux default - and would queue a portscan up for any device that connected at startup for timesync.
Ingenious - and all the more reason to run NTP on the border router/firewall and have that be the only device that communicates with the outside world.
https://arstechnica.com/information-technology/2016/02/using...