If you are using UDP for signalling its easier to get
through the firewall.
The hacker can spoof his source address and port address to
appear as your ITSP.
A UDP state-full pinhole is typically just kept open by a
timer.
Your outbound UDP packet creates a pinhole and it is kept
open by a timer of $n seconds which is reset by any packet
sent or received that match the pinhole.
The hacker does not need to get any response from you to
make your phone ring.
A TCP state-full pinhole can be a bit more sophisticated
because it can use the connection establishment and connection
termination features of TCP to be smarter about establishing
and destroying the pinhole.
Robert it could be...
-your edge device is using a less restrictive form of nat.
-or the hacker is spoofing their source address and source
port to appear like your ITSP
-or the attack is coming from within your network
-or you have inbound rules on your edge device
-something else I have not thought of
Suggest you use TCP if your ITSP supports it.