[kkielhofner]

Have you tried fail2ban[0]? It can take log output from Asterisk and automatically insert iptables DROP rules for the source IP to block the traffic in the kernel. It still shows up on your interface and uses your bandwidth but dropping the packet in the kernel is much more efficient than Asterisk dealing with it (not to mention safer). It should also cause the bad actor to eventually give up on you and move elsewhere.

[0] - https://github.com/fail2ban/fail2ban/

[megous]

No, I rate limit everything by default (per IP address, via a few nftables rules), until the user logs in, at which point I add the IP address to a whitelist. I also run SIP on non-default port and use SRV records to point the client to the right port. Helps with blind IP scans.

I don't really like the fail2ban approach.

[blablablub]

If you use fail2ban and asterisk you will probably have to rewrite the asterisk regex rules in fail2ban. Not a big thing, but it will probably not work out of the box.