Also fantastic information, thanks very much.
A few things come to mind:
1. Perhaps I can ask our ISP to block port 5060 if the attacks are indeed coming just from that port. When I do a full port scan, I do not see that port as being open, but there may be other scanning tools that show it is open. Are there other ports as well that would need to be blocked?
2. I don't understand why you couldn't just give the card a local IP address and setup NAT and then simply only allow traffic from the IP addresses of those people having phones (yes it would have to be adjusted if their ip changed)? Why would the card care or know about this? I've done things like this for many other applications. For example, how about something like this: https://www.tp-link.com/us/support/faq/2026/
3. I will look into the Zyxel router option and see if someone can locate that document.
EDIT- I have confirmed that port 5060 in UDP is open. 5060 and 5061 are both closed to TCP, but apparently the UDP 5060 flood attack is quite common and may be what's happening here.