We recently heard from a customer that they received an instance report from AWS that a DOS attack had occurred and it came from the DC/OS public agent.
The master nodes in DC/OS 1.6+ AWS Mesosphere provided CloudFormation only have ports 80, 443, and 22 accessible from outside the cluster.The private and public agents all have specific security groups.If you lock down the "AdminLocation" then you have better protection.
The general "agent" pools have no ports open to the outside world, so shouldn't be able to be used in an attack (unless the cluster overall is compromised).
The "public agent" depends entirely what the you launch there. We do not expose the DC/OS services, but all the other ports on the box are available. If you run a piece of software that could be used in an amplification attack (Open DNS resolver, open proxy, etc) then the public agent can be used for a DOS attack.
Customers have elected to block port 53 from public ingress to prevent clusters being used for this sort of abuse. In addition, we recommend that you configure your cluster during setup to only allow ingress to a specific range.
A change to your existing security groups will be needed in addition to changes to the CF templates for any clusters that already exist.
That said, DC/OS doesn't require public agents, they are a security concept so you can have an "edge" to your cluster facing the broader internet.