I looked at a 60-second pcap from Sebhoster’s server. Typical caveats: only examined one server for a short time, traffic may vary over time, etc.
Preliminary analysis below. The behavior is unlike other high-request rate systems that I’ve looked at.
NTP requests were sent by 17,564 clients during the 60-seconds. 99.6% of the requests were sent by 152 clients! Most clients sent requests at a steady rate of 300-1500 during the entire period.
This is probably not a NAT/VM related situation.
Except for the absolute rate, all 152 clients exhibit similar behavior: UDP source port is constant, the requests show alarm=0, version=4, stratum=0. The NTP request transmit time (set by the client when it sends the request) are all in error by either 20.5, 41, or 82 years.
Looking again at the NTP request transmit time stamp the fractional part is always <= 0.232 seconds. A similar behavior was seen in recent years due to a bug in systemd’s timesyncd service. The Philippines situation differs in other aspects.
My guess is buggy client software is to blame.