Don't some VoIP devices use 1.1.1.1 too to check connection type or something?
There was a paper from a couple years ago when 1.1.1/24 (or bigger, don't remember) was still unassigned; at some AS they logged what kind of traffic was targeted at that subnet, by IP, port and protocol and 1.1.1.1 stood out. Can't find that paper just now unfortunately. :-(
