If you are using UDP for signalling its easier to get through the firewall.
The hacker can spoof his source address and port address to appear as your ITSP.
A UDP state-full pinhole is typically just kept open by a timer.
Your outbound UDP packet creates a pinhole and it is kept open by a timer of $n seconds which is reset by any packet sent or received that match the pinhole.
The hacker does not need to get any response from you to make your phone ring.
A TCP state-full pinhole can be a bit more sophisticated because it can use the connection establishment and connection termination features of TCP to be smarter about establishing and destroying the pinhole.
Robert it could be...
-your edge device is using a less restrictive form of nat.
-or the hacker is spoofing their source address and source port to appear like your ITSP
-or the attack is coming from within your network
-or you have inbound rules on your edge device
-something else I have not thought of
Suggest you use TCP if your ITSP supports it.