How to stop SipVicous against Spoofing Server IP

Lately my servers are coming under heavy attack from SipVicous, they are doing the standard calling each extension like 100, 101, etc and going down the list. If they happen to hit a registered extension it rings and drives people crazy.

On my server I have disabled anonymous SIP calls, I also added of course the alwaysauthreject=yes

However they are still coming through. What I do know is that they are using the From source address as the same IP address of my server.

My thoughts is that Anonymous Sip calls being disabled is being side stepped because they are making it appear as if its coming from my own server, and im guessing “Anonymous” isnt your server IP.

Now of course I did a tcpdump and using WireShark I can go ahead and identify the true source IP address, but as we all know as soon as I close one IP another one pops up.

Is there some other way to block these SipVicous calls? Perhaps there is a way I can send all source calls which match a pattern of less than 3-4 digits (since most of these hacks come from 100, 101, etc) and dump them into nothing. How would i go about doing this?

Any other ideas would be great.

Thanks in advance

Fail2ban should take care of those calls in short order, If still necessary write a regex to reject 3 digit extensions on attempted connect.

Why do you have port 5060 opened anyway?