Not using UDP even more effective, TLS with an obscure domain particularly so, but most recent successes have been initially against your exposed ‘well known’ HTTP ports, not your SIP transport, sharing the same domain for web access with your SIP or webrtc or provisioning over ‘secure’ transport particularly not a good idea.
A firewall without port scan and connection limiting and prevention, also not recommended, I have used
@dicko
Also it’s obvious that using different port will just reduce noise, although if you are supporting already established infrastructure - it’s not a trivial task to change the service port for thousands of phones/softphones, etc…
In ideal scenario if I’m to design it from scratch - it’ll be firewall, sip-proxy/sbc behind it and all the FPBXes behind proxy.
Reverse DNS - giving some non-existing FQDN in your SIP setup and then:
if proxy sees query to IP addr - ignore and mark remote IP as scanner
if proxy sees query to non-existing FQDN - ignore and mark remote IP as scanner
if this is existing FQDN for one of your sip customers - proxy passes it to the customers FPBX.
Additional logic to your taste - when IPs marked as scanners will end up on your central firewall to block that traffic at all.