It's trivial to add a UDP policer to ntp traffic to your ntp hosts. Also, how many people are exposing NTP externally on the same IP's they're running regular content (http/https) on? If you're allowing UDP/123 to your web servers, you need to fire yourself.
I guess what I'm trying to say is, you should already have this ACL'd on your own.
A UDP Policer doesn't help in a DDOS, because you need to block the traffic before it gets onto your circuit. By the time you start inspecting traffic, it's too late, you've already passed the traffic on your (presumably limited size) circuit.
The NTP DDOS doesn't require that the web server (or, indeed, any server) at the target be listening to UDP/123 in order to cripple them. You just need to use up their circuit capacity.
What I was trying (and failing) to suggest, is that when the Upstream starts scrubbing out the NTP DDOS, there is a reasonable chance, that during the event the downstream customers will start to see more NTP drops than they normally would. And that one way that customers who care about NTP greatly could mitigate that possibility, would be by having multiple stratum 0 sources locally - I.E. A GPS Antenna and Atomic Clock. I then took it a step further, and suggested that this would be a great service for the CoLo to provide, because they are downstream of any packet scrubbing, and would therefore be able to provide a reliable time source during a DDOS attack involving rogue NTP traffic, which might end up with some NTP packets being dropped by the upstream ISP who was scrubbing the DDOS off the circuit.
I was suggesting ways to prevent being part of the DDoS, not protect yourself from the DDoS. In other words, lock down your hosts so that they don't participate in the attack.
I guess what I'm trying to say is, you should already have this ACL'd on your own.