Over the years, I have been watching this stuff, this will have to be anecdotal because anything I found is long unnecessary and has been discarded.
These guys are not “knuckle-draggers”, they are very sophisticated and often funded by the States of China, Palstine and Russia, almost all are cleverer than at least me.
They decide who to vector by many metrics, they work in co-ordination, one set will probe the fingerprint of your outside IP, looking for 5060, 5038, the set of provisioning ports, they will also try looking for html scripts that although not necessary vulnerable, identify a system that is open for further probing. Look to implementing Fail2Ban’s apache noscripts jail, its already there just needs turning on
Every few weeks/months another profile is developed and used.
These low-level dudes , glean info and escalate your identity upwards to more powerful groups if you fail the low level scripts.
(Just because it says its sipvicious , it’s not necessarily so 
)
Two radical but effective methods I find useful:-
- Just don’t use 5060.
- Only accept traffic to your domain name and reject anything to your ip address (yes, you need a domain name, and a SSL certificate)
Another JM2CWAE