I run both a relay and a normal (private) Synthing instance on the server. So maybe they grab the IPs from https://relays.syncthing.net/? Or they run automated port scans on IP ranges?
Still I understand the incentive to try to probe for badly configured SSH servers to hack, or crappy PHP websites to infect, but why the heck would anyone try to DDoS Syncthing services?