The SBC Core enhanced Dynamic Blacklist (DBL) feature provides the ability to restrict packets and rejects the SIP messages received from endpoints based on the criteria and action, which are provided in a rule. In this way, the SBC is protected from offending or misconfigured/misbehaving endpoints.

The enhanced DBL Profile is configured to contain one or more rules. The profile is then associated with a SIP Trunk Group. The rules contain criteria and action.

  • When an endpoint triggers a rule with a blacklist action, all packets from that endpoint are dropped for the effective period. When the timer expires, the entry is removed.
  • When an endpoint triggers a rule with a rejectWithResponse action, all SIP requests from that endpoint are rejected with the response configured in the rule for the configured effective period. When the timer expires, the entry is removed.

This SBC enhanced profile supports handling offending events in a flexible way apart from triggers such as  the two consecutive 401s for REGISTER messages, badSipMessage, and endpoint CAC rejection.

Enhanced DBL Profile

Command Syntax

% set profiles services enhancedDblProfile <profile name>
    rule <rule name>
    state <disabled | enabled> 

Command Parameters

The Enhanced DBL Profile parameters are described below.

Note

Use the request addressContext <addressContext name> enhancedDBL removeEnhancedDblEntry removeIpEntry commands to remove any Enhanced DBL IP-based entries matching specific criteria.
Refer to Request Address Context - CLI for details.

Note

Use the show status/table addressContext <addressContext name> enhancedDBL commands to view Enhanced DBL Profile status details.
Refer to Show Table Address Context for details.

Enhanced DBL Profile Parameters

ParameterLength/RangeDescription

enhancedDblProfile

1-23 characters

<profile name> – The name of the Enhanced DBL Profile. The SBC Core supports up to 100 Enhanced DBL Profiles.

rule1-23 characters

<rule name> – The rule name for this Enhanced DBL Profile. Up to 8 rules are configurable for each profile.

See Rule Parameters table below for parameter descriptions.

stateN/A

Administrative state of this profile.

  • disabled (default)
  • enabled

Rule

Command Syntax

% set profiles services enhancedDblProfile <profile name> rule <rule name> 
	action
		effectivePeriod <0-86400 seconds>
        type 
			blacklist
			rejectWithResponse rejectWithResponseCode <400-699>
			watch
	criteria <rule criteria>
	state <disabled | enabled>

Command Parameters

Rule Parameters

ParameterDescription
criteriaUse this parameter to define the criteria for triggering an event. See Criteria Parameters table below for parameter details.
actionThe type of action to take for this rule and its effective period.
  • effectivePeriod <0-86400> – The duration, in seconds, for the specified action to occur. An effectivePeriod of "0" is treated as an infinite value. Default = 60.
  • type – The action to take when criteria is met for this rule.
    • blacklist – All packets from the affected endpoint are dropped for the effective period.
    • rejectWithResponse rejectWithResponseCode <400-699> Any request from such endpoints are rejected with the configured rejection response code for the effective period.
    • watch (default) – The SBC passively watches for offenders, and does not take any direct action. Endpoint details are observable using the 'show' command below.

NOTE: Use a valid SIP response code while configuring rejectWithResponseCode because the CLI does not validate it during the configuration. 

The supported response codes within 400-699 (RFC 3261 compliant) are:

  • For 4xx: 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 413, 414, 415, 416, 417, 420, 421, 422, 423, 480, 481, 482, 483, 484, 485, 486, 487, 488, 491, 493, 494.
  • For 5xx: 500, 501, 502, 503, 504, 505, 513, 580.
  • For 6xx: 600, 603, 604, 606.
state

Administrative state for this rule.

  • disabled (default)
  • enabled

Criteria

Command Syntax

% set profiles services enhancedDblProfile <profile name> rule <rule name> criteria
	occurrence
		aggrCountValue <1-86400>
		consecutive 
			disabled
				resetMethodResp <101-699>
				resetMethodType <ALL | BYE | CANCEL | INFO | INVITE | MESSAGE | NOTIFY | OPTIONS | PRACK | PUBLISH | REFER | REGISTER | SUBSCRIBE | UPDATE> 
            enabled
		 countType aggrCount 
		 resetCount <1-10>
		 timerWindow <1-86400 seconds>
	offendingEvent
		methodResp <all | all4xx | all5xx | all6xx | 400-699 or single value>
		methodType <ALL | BYE | CANCEL | INFO | INVITE | MESSAGE | NOTIFY | OPTIONS | PRACK | PUBLISH | REFER | REGISTER | SUBSCRIBE | UPDATE>
		triggerEventType <authenticationTimeout | badSipMessage | receiptOfMessage>
	scope <ipAddress | ipAddress-Port | ipAddress-Port-Transport>

Command Parameters

Criteria Parameters

ParameterDescription

occurrence

Use this parameter to define the period over which occurrences of the offending event will match the count so that an action is triggered.

  • aggrCountValue <1-86400> (default=10) – Use this attribute to specify the number of offending event occurrences to receive in the defined timer window to trigger a defined action.
  • consecutive – This flag defines the resetting behavior for the offending event count. If enabled, receiving any non-offending event for the trigger increments the internal reset count value. If disabled, receiving configured (resetMethodType+resetMethodResp) event for the trigger increments the internal reset count value.
    • enabled (default)
    • disabled
      • resetMethodType <ALL | BYE | CANCEL | INFO | INVITE | MESSAGE | NOTIFY | OPTIONS | PRACK | PUBLISH | REFER | REGISTER | SUBSCRIBE | UPDATE> – The method type for resetting the offending event count.
      • resetMethodResp <101-699> – Use to specify one or more responses for the configured method to reset the offending event counter. For example, [ 200 302 ].
        NOTE: When you use more than one value, enclose the values in square brackets [ ], separating each value with a space. Entering a value without using brackets appends the value to the existing configuration.
  • countType aggrCount – The type of count that is used. (Only aggrCount is supported at this time)
  • resetCount <1-10> (default=1) – The number of resetting events that are required to remove the entry from the tracking.
  • timerWindow <1-86400 seconds> (default=60) – The specified period (in seconds) during which the offending event count must match the criteria to trigger an action.

NOTE: Once the internal reset count values reach the configured threshold (resetCount), the entry is removed from the tracking.

offendingEvent

Use this parameter to define the offending event characteristics and the trigger event type.

  • triggerEventType <authenticationTimeout | badSipMessage | receiptOfMessage> – The type of offending trigger events.
    • authenticationTimeout – An authentication timeout is a trigger event where an authentication response request for the 401/407 is not received from an endpoint.   
    • badSipMessage The bad SIP message event is a trigger event where the SBC receives a SIP PDU, which is malformed according to the parsing rules.  
    • receiptOfMessage The receipt of a message event is a trigger event where the endpoint receives the configured response code for the configured method from the SBC. 
  • methodType <ALL | BYE | CANCEL | INFO | INVITE | MESSAGE | NOTIFY | OPTIONS | PRACK | PUBLISH | REFER | REGISTER | SUBSCRIBE | UPDATE> (default = REGISTER) – The offending method type. This is not applicable for badSipMessage.
  •  methodResp <all | all4xx | all5xx | all6xx | 400-699 or single value> – The failure response code(s) of the offending event for the given method, which is sent towards the endpoint. This is applicable only for receiptOfMessage.
    • 400-699 – Enter a single code, or enter multiple codes within square brackets and separating each entry with a space. For example, [ 403 504 606 ]
    • all – include all response codes from 400-699

    • all4xx – include all 4xx response codes

    • all5xx – include all 5xx response codes

    • all6xx – include all 6xx response codes

    NOTE: When you use more than one value, enclose the values in square brackets [ ], separating each value with a space. Entering a value without using brackets appends the value to the existing configuration.

scope 

Use this parameter to specify from which entity the rule criteria is applied to the messages.

  • ipAddress (default) 
  • ipAddress-Port
  • ipAddress-Port-Transport