So.. I was trying if I could alter the SIP security framework messages to differentiate between auth failures for any UDP packet and those with a valid nonce. Those with a valid nonce would probably not have a spoofed IP, so I can use fail2ban on them with more peace of mind.
But, then I saw the different handling of the alwaysauthreject-challenge and the "normal" challenge code. These differences can be observed by an attacker sniffing for valid usernames.
I haven't done any work on fixing the issue. But it's likely that the right fix would be to follow the normal challenge code path as much as possible.
(my employer wouldn't mind if OSSO B.V. is mentioned in a security bulletin if that were to be produced)