SIPstation trunks and RTP forwarding

We are thinking of getting a few Sipstation trunks.
We can source-restrict SIP 5060 to a SIPstation IP address or domain name, so that’s good.
We don’t feel comfortable opening RTP ports to the internet at large though . Although there is no threat of hacking into our system, Dos attacks would still be possible.

What is your take/experience on this, and how does Asterisk deal with a ton of unauthorized RTP traffic?

For RTP traffic Asterisk doesn’t bind to 10000-2000 ports on startup. It binds to them dynamically. If you telnet to an asterisk system on UDP port 10000 and there are no calls happening you will just timeout.