If you are getting a lot of this traffic, try using a tool like
sngrep to monitor incoming traffic for a while and see where the nuisance INVITEs are coming from.
Note that the kernel firewall blocks the traffic after it is already seen by the server, so in
sngrep you will probably notice some INVITE packets to which Asterisk does not reply. That’s good–those are being blocked by the firewall. The ones you would want to focus on are ones where Asterisk replies.