In regards to anti-spoofing measures - I think there a couple of vectors about the latest NTP attack where more rigorous client-side anti-spoofing could help but will not solve it overall.
Most NTP servers only send legitimate traffic to a handful of masters, often in the ntp.org pool, and to peers and clients on their own network. I know that when I adjusted my NTP config to stop responding to traffic other than its ntp.org masters and the local LAN, the outbound DDoS traffic stopped. It took a while for the bad guys to notice, so I added some packet filters to limit the load on the NTP daemon. It seems thata hosts sending large amounts of NTP traffic over the public Internet can be safely filtered if you don't already know that it's one of the handful that's in the ntp.org pools or another well known NTP master. R's, John