Blacklist proxies with high sign-in failure rates

This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .

Tor is open-source software used to enable anonymous communication and hide the location of end users. The software provides user anonymity, but it is often used by attackers to perform malicious activities. Okta enables admins to use dynamic zones to blacklist IPs that are categorized as Tor anonymizer proxies (Tor exit nodes).

 

HealthInsight: Why is this task recommended?


This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Okta provides admins with information about the IP address of each login, including proxy type. Create policies to prevent or block logins from IPs with high rates of login failure.

Security impact: Moderate

End-user impact: Low

Okta recommends: Create a new Dynamic Zone for IPs that are categorized as Tor anonymizer proxies and block access. See To create and configure a Dynamic Zone:.

 

End-user experience and impact


When the failed sign-in rate decreases to below 50%, the HealthInsight recommendation moves from the Incomplete tab to the Complete tab. This may take a few days after you configure the blacklist settings.

 

System Log Query

Admins can run the following query in the System Log page, to view a list of all failed sign-in attempts that originated from IPs categorized as Tor anonymizer proxies.

eventType eq "user.session.start" and outcome.result eq "FAILURE" and debugContext.debugData.proxyType eq "tor"

 

Procedure


Configure a Dynamic Zone to block anonymizer proxies

 

To create and configure a Dynamic Zone:

  1. From the admin console, navigate to Security > Networks.
  2. Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
  3. In the IP Type, select Tor anonymizer proxy.
  4. To blacklist the zone, select Blacklist access from IPs matching conditions in this zone.
  5. Click Save.
  6.  

    Configuration settings for a Dynamic Zone to block anonymizer proxies

 

Note

Note

The accuracy of Tor proxy detection is dependent on a third party vendor, which is used to identify IP addresses that use Tor. The proxy type is only used to evaluate if a proxy is Tor or not.

 

Related topics