Quoting Roland Dobbins <rdobbins@arbor.net>:
Do you have flow telemetry, which provides a lot more information than basic pps/bps stats?
Sources are pretty widely spread out among cell networks/home internet, seem to be mostly US based. I'm not seeing a large amount of traffic per single IP or single subnet. This seems more like "someone pushed out bad firmware" rather than something malicious.
Are you seeing normal timesync queries, or lots of level-6/level-7 admin command attempts?
SNTP Client timesync queries make up 91.3% of the traffic to my server. The following NTP settings being most the popular (47% of all traffic to my server): stratum=0, poll=4, precision=-6, root delay=1, root dispersion=1, reference timestamp=0, originator timestamp=0, receive timestamp=0