From the evidence gathered here, such as it all starting at one point in time, going from normal traffic to extreme overload of many .ru.pool.ntp.org servers at once, I’m more and more convinced the root of the problem is a DDoS targeting ru.pool.ntp.org and/or its subzones (1, 2, 3, 4).
Keep in mind that a DDoS means the IP addresses sourcing the floods are likely not belonging to the attacker, but are compromised devices (routers and/or hosts) that are under control the person(s) behind the likely-politically-motivated attack. If you are reporting abusive IP addresses to the responsible ISP (via lookup of the AS number of the IP) you should probably mention that the attack is part of a widespread DDoS so the ISP’s client is probably not an attacker, but has compromised device(s).
I’m far from a fan of Russia under Putin, though I have no problem with the Russian people, but I am opposed to vigilante tech warfare by anyone anywhere. Leave it to the combatants and their allies, both sides have extensive internet warfare capabilities which will operate strategically to have the most useful effect. Vigilante actions could well be counterproductive due to timing or other reasons. For example, Ukraine and their allies might want to throw off NTP service (either by shifting time or denying all pool service) timed to enable some other action to be more effective.