Have you tried fail2ban[0]? It can take log output from Asterisk and automatically insert iptables DROP rules for the source IP to block the traffic in the kernel. It still shows up on your interface and uses your bandwidth but dropping the packet in the kernel is much more efficient than Asterisk dealing with it (not to mention safer). It should also cause the bad actor to eventually give up on you and move elsewhere.

[0] - https://github.com/fail2ban/fail2ban/

No, I rate limit everything by default (per IP address, via a few nftables rules), until the user logs in, at which point I add the IP address to a whitelist. I also run SIP on non-default port and use SRV records to point the client to the right port. Helps with blind IP scans.

I don't really like the fail2ban approach.

If you use fail2ban and asterisk you will probably have to rewrite the asterisk regex rules in fail2ban. Not a big thing, but it will probably not work out of the box.

I'm not running my own service. I'm using www.iptel.org, they offer a free sip account. Under the hood they use the Kamailio sip server. It is pretty darn reliable for a free service.

Every few months iptel.org goes down for a few hours and I get 408 request timeouts. When Spectrum blocked 5060 UDP, I got 408 request timeouts for a week. It finally dawned on me to try my iptel account on my VPS and my SIP register succeeded. That's when I knew Spectrum had shut 5060 UDP. I tried 5060 TCP and that didn't work either.

I wrote a script that monitors the asterisk log and uses iptables to block any IP with a failed request. Problem solved. Sometimes I check how many IPs are blocked, it's astonishing.