Hi Max,
I thought to do something similar ;)
What stopped you creating something? Or did you? Interested :)
As I can see in the code, you count somebody as a bad actor just because
of one UDP packet is received. It is a bad idea, because it is easy to
spoof that packet and make a DoS against some good actor.
The next stage is to tag these probes as passive, then reply in SIP, like you say and allow registrations and calls etc then mark them as aggressive.
I'm not actually replying to the packets, so no reflection attacks.
Right way: you have to simulate a SIP dialog with this actor, i.e. reply
them something and wait for the reaction. If the reaction will be like
in a normal SIP call processing - congratulations, you found a hacker!
If not, like you sent them a packet they do not expect - it is a DoS and
a spoofed packet.
Agreed!
Thank you for reading and your reply.