Managing a Dynamic Blacklist
ARM supports management of a flexible automatic dynamic blacklist.
When configured, the blacklist can include either source of destination phone numbers (DIDs), calling or called with predefined frequency. The list is maintained automatically by the ARM according to customer definitions; in the ARM, operators add phone numbers to the blacklist or remove them from it.
The feature allows operators to prevent DDOS/DOS and calls flooding attacks on the enterprise. DID calling (or called) with suspicious frequency can be handled as bothersome and disruptive, and added to the blacklist.
Operators can decide how to handle blacklisted calls using the ARM’s generic routing capabilities. The calls can be dropped or routed to a specific server (for example).
Network operators must configure a Policy Studio Rule to dynamically add a number to the blacklist or remove a number from it, with some criteria.
|
➢
|
To configure a Dynamic Blacklist: |
|
1.
|
Open the Policy Studio page (Settings > Call Flow Configurations > Policy Studio) and click the add icon + to configure a Policy Studio rule to dynamically add a number. See here for detailed information about Policy Studio. |
|
2.
|
In the Add Policy Studio Rule screen, configure ‘Type’ as Blacklist; parameters displayed under the Conditions tab are identical to those displayed when User is defined for ‘Type’. See here for more information. |
|
3.
|
Click the Action tab and configure: |
|
●
|
Source or Destination number – to be checked and added to / removed from the list.
|
|
●
|
Call time range (sec) – higher equals 1. Default: 60.
|
|
●
|
Number of calls during time range criteria - higher equals 1. Default: 5.
|
|
●
|
Blocking number period time (min) - higher equals 10. Default: 60.
|
|
●
|
Adding tags = Tag_1/2/3. Decision of blocking in the Routing Rule using tag info.
|
|
●
|
Whitelist – Policy Studio will ignore those Prefixes / Prefix Groups.
|
|
●
|
Generate alarm when number is blocked – when there is at least one number in the list, an alarm will be triggered. When the list is empty, the alarm will be cleared.
|
|
●
|
An event is generated for each new number added to the Blacklist.
|
Use this example as reference:
|
4.
|
Refer to the example in the figure: |
|
●
|
Source or Destination number = Source |
|
●
|
Call time range (sec) = 1000 |
|
●
|
Number of calls during time range criteria = 2 |
|
●
|
Blocking number period time (min) = 120 |
|
●
|
Adding Tag_1 = blacklist_source |
With this configuration, the following scenario occurs:
|
●
|
If the source number calls more than 2 times in 1000 seconds, it’s added to the Blacklist for 120 minutes after which it’s removed. |
|
●
|
For each call from a source number listed in the Blacklist, Policy Studio will create TAG_1 = blacklist_source. |
|
●
|
The decision whether or not to block this tagged call is made in the Routing Rule, as shown in the following example: |
|
➢
|
To view blacklisted (blocked) DIDs: |
|
1.
|
Open the ‘Dynamic Blacklist’ page (Calls > Dynamic Blacklist) to view current content as shown here; all blacklisted numbers are shown in the page, which centralizes all calls from all ARM Routers. |
|
●
|
Delete single or multiple DIDs from the list by selecting the number to delete and then clicking the delete icon  . The function allows you to manually interfere with ARM decisions that are based on configuration of a ‘Blacklist’ in Policy Studio Rules. Multiple DIDs can be selected with ‘multi-select’ option. |
|
●
|
Delete all can be selected from the Actions drop-down; all numbers are deleted from all Blacklists (defined in Policy Studio Rules). This action resets the lists. |
|
●
|
View calls can be selected from the Actions drop-down (after selecting a row), allowing you to view details of a call with phone numbers (DIDs), as part of the Blacklist; the filtered Call Details screen from the filtered Calls List page (Calls > Calls List) opens. |
The feature allows you to view (for example) if an attack is continuing and if attempts are still being made to call from / to the restricted number.