Automatic blacklisting of network source IP is a safety feature that filters out offending/attack source IP addresses from accessing your networks. The system maintains a list of IP addresses and URIs that do not meet the set policies. The list contains blocked IP/URIs and the IPs subnets that must be blocked.

Blacklisting of an IP/URI is based on the following policies:

• If the number of attempts to log in using an invalid username or password within a configured timer limit exceeds the configured threshold value.

  Note:

  If the IP Threshold timer is not configured, the system blacklists a user based on the number of failed login attempts irrespective of the time value.

• If the attack is from a trusted source and the number of attempts exceeds the configured threshold value. In this case, SBC considers To header URI to validate the invalid username or password.

  Note:

  IP and URI blacklisting features are applicable only to new registrations. It is not applicable after renewing the registration.

  Configure the trusted source in:

  • The Trusted address field on the Subscriber Flow Profile page.

  • The IP / URI Blocklist Trusted Address field in the Reverse proxy tab on the Relay page.

After the system exceeds the configured threshold values, adds entry to DB with block time, an Incidence/Syslog is raised. It can also propagate the information to other SBCs in a given EMS.

The system maintains the blacklisted source IP/URI with the latest timestamp in IP/URI blocklist section. Use this section to unblock an IP/URI, block an IP subnet, permanently block an IP/URI and to propagate information to other Avaya SBCs in a given EMS (This option would show when an EMS is managing multiple Avaya SBCs or Avaya SBC pairs).