Sure. I use the following (on Mikrotik RouterOS). Anything that exceeds 1000 packets / sec and a 3000 packet burst gets logged and put in the throttling list for the next 24 hours. Anything in the throttling list gets limited to max 1000 packets / sec with a burst of 250 packets; excess traffic gets dropped. All limits are per-source-IP.
/ip firewall raw
add action=jump chain=prerouting dst-port=123 jump-target=high-rate-ntp/throttle protocol=udp src-address-list=high-rate-ntp/throttle
add action=jump chain=prerouting dst-port=123 jump-target=high-rate-ntp/detect protocol=udp src-address=!103.106.65.219
add action=return chain=high-rate-ntp/detect dst-limit=1000,3000,src-address/10s
add action=add-src-to-address-list address-list=high-rate-ntp/throttle address-list-timeout=1d chain=high-rate-ntp/detect log=yes log-prefix="[high-rate-ntp]" src-address-list=!high-rate-ntp/throttle
add action=return chain=high-rate-ntp/throttle dst-limit=1000,250,src-address/5s
add action=drop chain=high-rate-ntp/throttle
add action=notrack chain=prerouting port=123 protocol=udp