From tcpdump message, I see ntp clients using ntpv1, which is very outdated version, is it normal, or it is a malicious activity?
If you don’t like these outdated clients, feel free to block them all using version
flag inside your restrict
commands.