Skip to content

IP address graylist

Graylist is a list of IP addresses that are allowed to access your applications only if requests originated from them do not contain signs of the following attacks:

The Wallarm node blocks requests with malicious payloads that originated from graylisted IP addresses only in the safe blocking mode. If there are no malicious payloads in requests, the filtering node forwards them to your applications. Behavior of the filtering node may differ if graylisted IP addresses are also allowlisted, more about list priorities.

Managing graylist

Managing graylist manually

In the Wallarm Console → IP listsGraylist, you can manage graylisted IP addresses as follows:

  • Add a single IP address or a subnet

  • Add a group of IP addresses registered in a specific country/region, data center, network, etc.

  • Customize the time and reason for storing the IP address in the list

  • Delete IP address from the list

  • Review the history of list changes

IP graylist

Old name of the list

The old name of the IP address graylist is "IP address greylist".

Automatic graylist population

Besides manual adding objects to the graylist, you can configure Wallarm to automatically populate the list. You can do that using triggers. Consider the following:

  • New company accounts are featured with the pre-configured (default) graylist trigger.

  • To manually create a graylist trigger, add the Graylist IP address reaction to the Brute force, Forced browsing, BOLA or Number of malicious payloads triggers.

Notification about automatic graylist population for the Safe blocking mode

It is highly recommended to use the automatic graylist population for the Safe blocking mode.

Thus, if the mode is enabled, but you do not have any active triggers for the graylist population, in the Wallarm Console → SettingsGeneralFiltration modeSafe blocking section:

  • The list of disabled graylist triggers will be displayed suggesting to enable some of them.
  • If you do not have any graylist triggers, the suggestion to create at least one will be displayed.

Examples of IP graylist usage

  • Graylist IP addresses from which several consecutive attacks were originated.

    An attack may include several requests originated from one IP address and containing malicious payloads of different types. One of the methods to block most of the malicious requests and allow legitimate requests originated from this IP address is to graylist this IP. You can configure automatic source IP graylisting by configuring the threshold for source IP graylisting and appropriate reaction in the trigger.

    Source IP graylisting can significantly reduce the number of false positives.

  • Graylist IP addresses, countries, regions, data centers, networks (for example, Tor) that usually produce harmful traffic. The Wallarm node will allow legitimate requests produced by graylisted objects and block malicious requests.

Adding an object to the list

Adding an IP address to the list on the multi-tenant node

If you have installed the multi-tenant node, please firstly switch to the account of a tenant for which the IP address is added to the list.

To add an IP address, subnet, or group of IP addresses to the list:

  1. Click the Add object button.

  2. From the drop-down list, select the list to add the new object to.

  3. Specify an IP address or group of IP addresses in one of the following ways:

    • Input a single IP address or a subnet

      Supported subnet masks

      The supported maximum subnet mask is /32 for IPv6 addresses and /12 for IPv4 addresses.

    • Select a country or a region (geolocation) to add all IP addresses registered in this country or region

    • Select the source type to add all IP addresses that belong to this type, e.g.:
      • Tor for IP addresses of the Tor network
      • Proxy for IP addresses of public or web proxy servers
      • Search Engine Spiders for IP addresses of search engine spiders
      • VPN for IP addresses of virtual private networks
      • AWS for IP addresses registered in Amazon AWS
  4. Select the applications to which you allow or restrict access for the specified IP addresses.

  5. Select the period for which an IP address or a group of IP addresses should be added to the list. The minimum value is 5 minutes, the maximum value is forever.

  6. Specify the reason for adding an IP address or a group of IP addresses to the list.

  7. Confirm adding an IP address or a group of IP addresses to the list.

Add IP to the list (with app)

Analyzing objects added to the list

The Wallarm Console displays the following data on each object added to the list:

  • Object - IP address, subnet, country/region or IP source added to the list.

  • Application - application to which access configuration of the object is applied.

  • Source - source of a single IP address or subnet:

    • The country/region where a single IP address or subnet is registered (if it was found in the databases like IP2Location or others)
    • The source type, like Public proxy, Web proxy, Tor or the cloud platform the IP registered in, etc (if it was found in the databases like IP2Location or others)
  • Reason - reason for adding an IP address or a group of IP addresses to the list. The reason is manually specified when adding objects to the list or automatically generated when IPs are added to the list by triggers.

  • Adding date - date and time when an object was added to the list.

  • Remove - time period after which an object will be deleted from the list.

Filtering the list

You can filter the objects in the list by:

  • IP address or subnet specified in the search string

  • Period for which you want to get a status of the list

  • Country/region in which an IP address or a subnet is registered

  • Source to which an IP address or a subnet belongs

Changing the time that an object is on the list

To change the time that an IP address is on the list:

  1. Select an object from the list.

  2. In the selected object menu, click Change time period.

  3. Select a new date for removing an object from the list and confirm the action.

Deleting an object from the list

To delete an object from the list:

  1. Select one or several objects from the list.

  2. Click Delete.

Re-adding deleted IP address

After manually deleting the IP address added to the list by the trigger, the trigger will run again only after half of the previous time the IP address was in the list.

For example:

  1. IP address was automatically added to the graylist for 1 hour because 4 different attack vectors were received from this IP address in 3 hours (as it is configured in the trigger).
  2. User deleted this IP address from the graylist via Wallarm Console.
  3. If 4 different attack vectors are sent from this IP address within 30 minutes, then this IP address will not be added to the graylist.