Thank you for detailed comments!
Yes, Hetzner like many other providers has built in anti-ddos protection. But it works only for low level ddos atacks such as syn/udp flood, dns reflection, ntp reflection etc. Sure no LE validation server could not generate traffic to one host like those attacks. LE validation servers just send regular http requests on the port 80 with low rate comparing to the anti ddos triggers.
Let's clarify: I have N domains in the LE cert. If renewal fails my server for each attempt gets strictly N * 2 validation http requests from the various LE servers. All LE requests reach my server without any troubles. But there are no third requests to any of N domain ftom any LE validation server. If suppose that some anti ddos filter blocks some requests I definitely would not see strictly N*2 requests for each attempt.
Moreover when I faced with real high level ddos attacks (level 7 - many identical valid http requests with high rate) no one requests was blocked on the provider's level.
Resume: provider's anti ddos protection do not block regular http requests (it would by strange if someone provider do this).
If renewal succeed my server gets strictly N*4 validation http requests from the various LE servers.
I can presume that in some conditions LE validation process fails after second validation for some internal reasons (actually related or not with connection). It may depends on N value or may not depends. I do not know your internal kitchen. But I do know not by hearsay how hard to debug such errors on highly loaded systems.
So I very appreciate that LE team trying to help.
I hope my case may be useful for future developing.
Thank you!