How geo blocking works
When a request reaches Recon44’s edge, its source IP is looked up against a continuously updated geolocation and ASN database. If the IP matches a block rule you have set, the request is dropped before it reaches your origin server. The decision happens in the same sub-50ms inspection window as WAF rules.Geo and ASN blocking is available on all paid plans (Pro and above). Free plan users can view geo data in the threat feed but cannot enable blocking rules.
Whitelist legitimate IPs before blocking a region
Before creating any broad geo or ASN block, identify IPs you want to preserve access for — your own office IP, a partner’s IP range, a monitoring service — and add them to your whitelist. Whitelisted IPs bypass all blocking rules, including geo and ASN blocks.Add a whitelist entry
Click Add rule, enter the IP address or CIDR range, and set the action to Whitelist. Add a label such as “Office IP” or “Uptime Robot” for future reference.
Block a country or region
Search for the country
Use the search box to find the country or territory you want to block. You can search by name or ISO 3166-1 alpha-2 code (for example,
RU for Russia, CN for China).Enable the block
Click the toggle next to the country name. The toggle turns red and the block becomes active within 30 seconds across all edge nodes.
Block an ASN or hosting provider
ASN blocking targets traffic from a specific network operator rather than a geographic region. This is useful for blocking cloud provider IP ranges commonly used for automated attacks (such as data center ASNs from DigitalOcean, OVH, or similar hosting providers).Search for the ASN or provider
Enter the ASN number (for example,
AS14061 for DigitalOcean) or the provider name in the search box. Recon44 shows matching ASNs with their current traffic volume against your site to help you assess the impact.Blocking a hosting provider ASN may affect legitimate users who access the internet through that provider’s infrastructure. Review your traffic data for the ASN before blocking.
Block Tor exit nodes
Recon44 maintains an automatically updated list of known Tor exit node IP addresses. Enabling this blocks all requests originating from the Tor network.Block known bad ASNs
The Known bad ASNs category in Recon44 is a curated, continuously updated list of ASNs associated with high volumes of malicious traffic — including botnets, bulletproof hosting providers, and repeat offenders in the threat intelligence community.Practical use cases
Block regions you do not serve
Block regions you do not serve
If your product is only available in certain countries (due to legal, licensing, or business constraints), blocking all other regions reduces your attack surface significantly. Use the allowlist approach: set the default action to Block and explicitly allow only the countries your service operates in.
Stop data center and VPS abuse
Stop data center and VPS abuse
Most legitimate end users do not access websites from data center IP ranges. Blocking the ASNs of major VPS providers (DigitalOcean, Linode, Vultr, OVH, Hetzner) can dramatically reduce automated scanning and brute force attempts without affecting real users.
Reduce scraping and bot traffic
Reduce scraping and bot traffic
Combining Tor exit node blocking, known bad ASN blocking, and data center ASN blocking eliminates a large share of automated bot traffic and scrapers before WAF rules even need to fire.
Respond to an active attack
Respond to an active attack
If your threat feed shows a concentrated attack from a specific country or ASN, enable a block immediately from Security → Geo Blocking or Security → ASN Blocking. You can remove the block just as quickly once the attack subsides.