Exactly what im thinking.
Indeed i’m running chrony 4.8. So local chrony instance is providing the answer.
Now I feel dumb!
You are right. I tested on IP’s what have no Chrony and ‘it connects’ the same.
How stupid is that? It does the exact same stuff. Why does it give a prompt then?
Thanks for clearing that up 
3 Likes
I’m just guessing, but if it’s UDP based, it might just send the commands without maintaining a connection. The server might not even be aware that there’s any shell.
Looks that way. But why doesn’t it send something like a ‘ping’ to check if the host reacts and if not, tell you the remote-host won’t take commands.
As it really looks like it does connect….confusing.
Finally got rid of them….DrayTek to the resque!
Settings that I use for 100/35Mbit VDSL line.
It results in this:
See how my drops are reduced to 0. Everytime my DrayTek detects an ‘attack’ it should close the port for 60 seconds for bad IP’s.
I do not know exactly what it does, but the pool-monitors will tell me soon enough. Does it close the port in general? Or only the attacking IP’s?
I do notice a massive drop in drop’s 
Hopefully it fixes things.