Skip to main content
When Recon44 identifies a malicious request, it stops it at the edge — the blocked traffic never reaches your origin server. IP blocking works in two ways: automatically, when the WAF detects an exploit pattern, and manually, when you choose to block or whitelist a specific IP directly from the dashboard.

How automatic IP blocking works

Automatic blocking fires the moment a request matches a WAF rule in active blocking mode. The sequence is:
1

Request arrives at the edge

Recon44 intercepts the request at the edge node closest to the visitor. Your origin server has not received anything yet.
2

WAF evaluates the request

The full request — URL, headers, body, cookies — is evaluated against 200+ OWASP Core Rule Set patterns in under 50ms.
3

Exploit pattern matches

If a rule fires (e.g., WAF-SQLI-01 for a SQL injection attempt), the request is immediately dropped. The source IP is added to the active blocklist.
4

Subsequent requests from the IP are blocked at the network level

Once an IP is on the blocklist, future requests from that address are dropped before WAF inspection even runs — reducing overhead and ensuring the attacker receives no further responses.
5

Event appears in your Threat Feed

The block is logged in your Live Threat Feed with the source IP, country, attack type, rule ID, and the blocked action. You can review it, whitelist the IP if it was a false positive, or leave it blocked.
Automatic IP blocking requires Pro plan or above. On the Free plan, the WAF runs in read-only mode — exploit patterns are logged but not blocked. Manual IP blocking from the dashboard is available on all plans.

Manual block and whitelist

You can block or whitelist any IP from the dashboard without waiting for an automatic trigger.
1

Find the IP in your Threat Feed

Open Threat Feed from the left navigation. Locate the entry for the IP you want to block — you can filter by source IP using the search bar.
2

Click Block IP

Expand the entry and click Block IP. The IP is added to your blocklist immediately. All future requests from that address are dropped at the edge.
3

Confirm in your Block List

Navigate to Security → Block List to see all manually blocked IPs, when they were added, and who added them.
You can also add an IP directly from Security → Block List → Add IP without needing a corresponding Threat Feed entry.

Geo and ASN blocking

Recon44 lets you block entire geographic regions, hosting providers, and known bad network ranges in one click — without managing individual IP addresses.
Block all traffic originating from a specific country. This is most useful when you are under a volumetric DDoS attack sourced from a single region, or when your product does not serve customers in that region at all.To block a country:
  1. Go to Security → Geo Blocking.
  2. Click Add rule.
  3. Select Country and choose the country from the dropdown.
  4. Click Save. The rule is active immediately.
Traffic from the blocked country receives a connection drop at the edge. No response is sent.
Geo-blocking affects all traffic from the selected country, including legitimate users. Review whether your site has any users or dependencies (APIs, partner services) in that region before blocking.
An Autonomous System Number (ASN) identifies a network operated by a single organization — a hosting provider, ISP, or CDN. Blocking an ASN stops all traffic originating from that network’s IP ranges.ASN blocking is particularly effective against:
  • Hosting provider ranges: Attackers frequently use cloud VMs (AWS, DigitalOcean, Linode, OVH) to run bots and scanners. Blocking the ASN for a hosting provider removes entire attack infrastructure in one rule.
  • Known bad ASNs: Recon44 maintains a curated list of ASNs with high abuse histories. You can enable the Known bad ASNs blocklist from Security → Geo Blocking with a single toggle.
To block an ASN:
  1. Go to Security → Geo Blocking.
  2. Click Add rule.
  3. Select ASN and enter the ASN number (e.g., AS14061 for DigitalOcean).
  4. Click Save.
Recon44 maintains an up-to-date list of Tor exit node IP addresses. Enabling Tor blocking drops all requests originating from the Tor network.To enable Tor blocking:
  1. Go to Security → Geo Blocking.
  2. Toggle Block Tor exit nodes to on.
The list updates automatically as exit nodes change. You do not need to maintain it manually.
Blocking Tor will prevent privacy-conscious users who use Tor for legitimate reasons from accessing your site. Evaluate this tradeoff for your audience before enabling it.

How blocked traffic is handled

Blocked traffic — whether from an auto-blocked IP, a manually blocked IP, or a geo/ASN rule — is handled at the edge:
  • The connection is dropped before it reaches your origin server. Your origin never sees the request, never allocates resources for it, and never logs it.
  • The attacker receives no response (TCP RST or connection timeout depending on the protocol). This avoids confirming that the block rule fired.
  • The block event is logged in your Threat Feed and Audit Logs with the full request metadata.
Because blocked traffic never reaches your origin, IP blocking also reduces your server load and bandwidth during high-volume attacks. There is no cost on your infrastructure for blocked requests.

Blocked vs. throttled vs. logged

These three actions appear in your Threat Feed and reflect different levels of enforcement:
ActionTraffic reaches origin?What the attacker seesWhen it applies
BlockedNoNo response (connection dropped)WAF rule matched in active mode, or IP is on block list
ThrottledYes, at reduced rateSlow responsesBrute force / rate limit exceeded; IP not yet fully blocked
LoggedYesNormal responseFree plan (read-only WAF mode), or lower-confidence rule set to observe
If a throttled IP continues suspicious behavior, Recon44 automatically escalates to a full block. You can also manually escalate from the Threat Feed by clicking Block IP on any throttled entry.

WAF — How It Works

Understand the rules that trigger automatic IP blocking.

Live Threat Feed

View and act on blocked, throttled, and logged events in real time.

Geo-blocking guide

Step-by-step walkthrough for setting up country and ASN block rules.

Blocking attacks guide

Practical playbooks for responding to DDoS, brute force, and scanner activity.