Skip to content

IP address blacklist

Blacklist is a list of IP addresses that are not allowed to access your applications. In any filtration mode, the filtering node blocks all requests originated from blacklisted IP addresses (if IPs are not duplicated in the whitelist).

In the Wallarm Console → IP listsBlacklist, you can manage blocked IP addresses as follows:

  • Add a single IP address or a subnet

  • Add a group of IP addresses registered in a specific country, data center, network, etc.

  • Customize the time and reason for storing the IP address in the list

  • Delete IP address from the list

  • Review the history of list changes

IP blacklist

IP blacklisting support

This document describes the IP blacklist configuration for the regular (client) and partner Wallarm node of version 3.4. For the Wallarm modules upgraded from version 3.2 up to 3.4, there is no difference in IP blacklist configuration.

If you have upgraded the Wallarm modules from version 3.0 or lower up to 3.4, you can see the following differences in IP list logic:

  • New IP blacklisting features
  • If operating in the off or monitoring mode, Wallarm node does not block requests originated from the blacklisted IP addresses

If you still use Wallarm modules of version 3.2 or lower, we recommend upgrading them up to the latest version.

Examples of IP blacklist usage

  • Block IP addresses from which several consecutive attacks were originated.

    An attack may include several requests originated from one IP address and containing malicious payloads of different types. One of the methods to block such attacks is to block requests origin. You can configure automatic source IP blocking by configuring the threshold for source IP blocking and appropriate reaction in the trigger.

  • Block behavioral-based attacks.

    The Wallarm filtering node can block most harmful traffic request-by-request if a malicious payload is detected. However, for behavioral‑based attacks when every single request is legitimate (e.g. login attempts with username/password pairs) blocking by origin might be necessary.

    By default, automatic blocking of behavioral attacks source is disabled. Instructions on configuring brute force protection →

Adding an object to the list

Adding an IP address to the list on the partner node

If you have installed the partner node, please firstly switch to the account of a client for which the IP address is added to the list.

To add an IP address, subnet, or group of IP addresses to the list:

  1. Click the Add object button.

  2. Specify an IP address or group of IP addresses in one of the following ways:

    • Input a single IP address or a subnet
    • Select a country (geolocation) to add all IP addresses registered in this country
    • Select a source to add all IP addresses that belong to this source:
      • Tor for IP addresses of the Tor network
      • Proxy for IP addresses of public or web proxy servers
      • VPN for IP addresses of virtual private networks
      • AWS for IP addresses registered in Amazon AWS
      • Azure for IP addresses registered in Microsoft Azure
      • GCP for IP addresses registered in Google Cloud Platform
  3. Select the applications to which you allow or restrict access for the specified IP addresses.

  4. Select the period for which an IP address or a group of IP addresses should be added to the list. The minimum value is 5 minutes, the maximum value is forever.

  5. Specify the reason for adding an IP address or a group of IP addresses to the list.

  6. Confirm adding an IP address or a group of IP addresses to the list.

Add IP to the list (with app)

Analyzing objects added to the list

The Wallarm Console displays the following data on each object added to the list:

  • Object - IP address, subnet, country or IP source added to the list.

  • Application - application to which access configuration of the object is applied.

  • Source - source of a single IP address or subnet:

    • Country (geolocation) where a single IP address or subnet is registered
    • Data center where a single IP address or subnet is registered: AWS for Amazon, GCP for Google Cloud Platform, Azure for Microsoft Azure
    • Tor for IP address of the Tor network
    • Proxy for IP address of public or web proxy servers
    • VPN for IP addresses of virtual private networks
  • Reason - reason for adding an IP address or a group of IP addresses to the list. The reason is manually specified when adding objects to the list or automatically generated when IPs are added to the list by triggers.

  • Adding date - date and time when an object was added to the list.

  • Remove - time period after which an object will be deleted from the list.

Filtering the list

You can filter the objects in the list by:

  • IP address or subnet specified in the search string

  • Period for which you want to get a status of the list

  • Country in which an IP address or a subnet is registered

  • Source to which an IP address or a subnet belongs

Changing the time that an object is on the list

To change the time that an IP address is on the list:

  1. Select an object from the list.

  2. In the selected object menu, click Change time period.

  3. Select a new date for removing an object from the list and confirm the action.

Deleting an object from the list

To delete an object from the list:

  1. Select one or several objects from the list.

  2. Click Delete.

Re-adding deleted IP address

After manually deleting the IP address added to the list by the trigger, the trigger will run again only after half of the previous time the IP address was in the list.

For example:

  1. IP address was automatically added to the greylist for 1 hour because 4 different attack vectors were received from this IP address in 3 hours (as it is configured in the trigger).
  2. User deleted this IP address from the greylist via the Wallarm Console.
  3. If 4 different attack vectors are sent from this IP address within 30 minutes, then this IP address will not be added to the greylist.