Legitimate NTP traffic normally have UDP packet size less tnan 128 bytes, and normally has both source and destination ports set to 123. Attackers trig NTP amplification attack to be sent to port 80 UDP, thus such traffic is obviously an attack, oversized packets are rare and most likely an attack.

First, lets create a policer for 1M

set firewall policer limitntp-1 if-exceeding bandwidth-limit 1M
set firewall policer limitntp-1 if-exceeding burst-size-limit 10k
set firewall policer limitntp-1 then discard

Then, lets classify traffic and police traffic:

set firewall family inet filter ntp-1 interface-specific
# 123 -> 80 - drop
set firewall family inet filter ntp-1 term 1 from protocol udp
set firewall family inet filter ntp-1 term 1 from source-port ntp
set firewall family inet filter ntp-1 term 1 from destination-port http
set firewall family inet filter ntp-1 term 1 then discard
# too small or oversized packets with UDP port 123 - police and count
set firewall family inet filter ntp-1 term 2 from packet-length-except 40-128
set firewall family inet filter ntp-1 term 2 from protocol udp
set firewall family inet filter ntp-1 term 2 from port ntp
set firewall family inet filter ntp-1 term 2 then policer limitntp-1
set firewall family inet filter ntp-1 term 2 then count ntp-count
set firewall family inet filter ntp-1 term 2 then accept
# accept the rest
set firewall family inet filter ntp-1 term 3 then accept

Now apply to interface units:

# traffic leaving our network
set interfaces ae0 unit 10 family inet filter output ntp-1
# traffic entering our network
set interfaces ae0 unit 10 family inet filter input ntp-1