Only if it’s traffic, usually providers don’t give a damn about it, but the repair priorities of different points are different, and in the case of home tariffs, don’t be surprised that they will repair according to the last priority.

Hee hee, the management will set the task for us to find such guys. And we will look at the charts and find it)
Specifically, your situation is very easy - for individuals, the main traffic is in the evening, and for legal entities during the day. The anomaly will simply be visible in the usual picture.
It is more interesting when one buys the Internet in some hostel and distributes it to another 4-6 people. This is where you need to be creative. As I personally searched: I collected statistics from the port, analyzed the variance and mathematical expectation, discovered such pioneers) You can also look at the statistics of TCP connections, DNS calls.
What will we do? From a legal point of view - nothing, since we cannot prove the fact. But, our merchants will approach such a pepper, wag a finger, offer 1tr for a new subscriber who connects to us. As a rule, people agree. If the "pioneer" goes into denial, then most likely it will be turned off within six months. In addition, the provider world is small, and most likely no one else will connect it to this address)

In our city, providers began to increase the speed during the day, in different ways, who is 5 or 10 times, for example, we have Internet 10 megabits, and the provider can offer a speed of 50-100 megabits for individuals during the day, but for legal entities there is no such thing, I understand what it is not guaranteed 100, but still..

Drag yes.
Option number one - you have NAT configured incorrectly (in both directions) and the provider can get into your internal network.
Option number two is to scan src ports at the moment they are "ignited" by the nat mechanism and see a bunch of different OS / builds behind them, and so on.
Option number three is to poke your gateway with UDP Hole Punching.
Well, the simplest thing is to look with your eyes at the nature of the traffic.
It is also very easy to protect yourself - let all users through any encrypted VPN. Configure NAT correctly (start nat only from the internal LAN in the VPN). Then the provider will see a few megabits of encrypted traffic and nothing more.
Well, yes, if you have a backup channel - most likely, the provider does not care about you.

By poppy address, right? Depends on the settings of some Zyxel Keenetic Lite