Your sip server will legitimately get a few connects a minute from each endpoint max, Look at the CSF rules for the how to build such a set of limiting filters (you are not limited to one) that accepts friends but notices ddos’s. But that is just a start . . .
As to your other ‘open’ services, which are likely the greater target of these latest exploit, you can certainly ‘pin-hole’ your sip providers if they insist on UDP/5060, deny TCP/5038 on your WAN side and indeed use obscure but certified domains and ports above the ‘low hanging ones’ for phone calls (SIP) and provisioning, I do that and rarely see untoward connections.
Personally I like to keep my main 443 site open to all for UCP users and I also allow FOP2 but only allow trusted users to the FPBX gui , using a proxy (ha-proxy in my case) you can drop ip based connections before they leak anything by setting a strict SNI policy (and it makes your cert management much easier as that is handled by the proxy, only http is passed to the servers.)