IPv4 Traffic started increasing on Dec 13. IPv6 traffic was unchanged (times in this graph are US/Central)
Traffic follows the pattern of peaks in the US Daytime/evening, valleys in the US nighttime. Traffic was seen to a wide variety of different regional NTP pools: New Zealand, United Kingdom, United States, Japan, etc.
Traffic is coming primarily from US networks: Cable, Cell Phone, and DSL/Other (times in this graph are UTC):
Reports of NTP traffic increases from NTP server operators and NTP in access networks have been in the range of “5x - 20x” normal levels.
The majority of traffic (>50%) has the following NTP flags set:
NTPv4, length 48 Client, Leap indicator: (0), Stratum 0 (unspecified), poll 4s, precision -6 Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000
Traffic seems to be from many different sources and not concentrated to any one source IP.
All these facts combined suggest the traffic is coming from: Human Activity on a Mobile Device (Phone/Tablet/Laptop)
The most popular Android applications (including Snapchat) were installed on a test phone and none of them generated NTP activity. The base Android system was seen to send NTP requests to 2.android.pool.ntp.org
iPhones and iPads were tested, and the iOS system only sent NTP traffic to time-ios.apple.com
Snapchat was installed on multiple iPhones, and this caused the iphone to lookup the following hostnames in DNS and send NTP to each unique IP returned:
0.pool.ntp.org 0.uk.pool.ntp.org 0.us.pool.ntp.org asia.pool.ntp.org europe.pool.ntp.org north-america.pool.ntp.org south-america.pool.ntp.org oceania.pool.ntp.org africa.pool.ntp.org
This matches the list embedded in this iOS NTP library: https://github.com/jbenet/ios-ntp/blob/master/ios-ntp-lib/NetworkClock.m#L121
The NTP flags on the majority of NTP traffic also match the ones set here: https://github.com/jbenet/ios-ntp/blob/master/ios-ntp-lib/NetAssociation.m#L254
Snapchat has posted a fix to iTunes (Dec 20) and the update is slowly rolling out - https://mailman.nanog.org/pipermail/nanog/2016-December/089610.html
Credit for this information comes from a lot of different sources. Thanks to everyone that helped out!