Well, although the server might be in the US, I’m pretty sure that the owner is from Palestine from the numbers they are trying to complete to, it was all too easy to geo-fence such attacks (including the ongoing onslaught from one of your close neighbours) but they all moved their servers to Europe and the States ( and South Korea) to hide their activities. Personally I have my firewall block colocation companies like OVH and colocrossing as I notice the attacks, as I am pretty sure no legitimate voip traffic will ever come from any of them. and yes indeed 23.94.0.0/15 is on my list. as is coincidentally 203.250.0.0/16 so I must have tracked malicious traffic form KREONet in the past also.