Blocklist proxies with high sign-in failure rates

Tor is open-source software used to enable anonymous communication and hide the location of end users. The software provides user anonymity, but it's often used by attackers to perform malicious activities. A Dynamic Zone let you block IP addresses that are categorized as Tor anonymizer proxies (Tor exit nodes).

HealthInsight task recommendation

Create policies to block sign-in attempts from IP addresses with high rates of failure. Okta provides information about the IP address of each sign-in attempt, including proxy type.

Okta recommends

Create a Dynamic Zone for IPs that are categorized as Tor anonymizer proxies and block access. See Create and configure a Dynamic Zone.

Security impact

Moderate

End user impact

Low

When the failed sign-in rate decreases to below 50%, the HealthInsight recommendation moves from the Incomplete tab to the Complete tab. This might take a few days after you configure the blocklist settings.

System Log query

You can run the following query in the System Log page to view a list of all failed sign-in attempts that originated from IP addresses categorized as Tor anonymizer proxies.

eventType eq "user.session.start" and outcome.result eq "FAILURE" and debugContext.debugData.proxyType eq "tor"

Configure a Dynamic Zone to block anonymizer proxies

You can use a Dynamic Zone to block IPs that are categorized as Tor anonymizer proxies (Tor exit nodes).

  1. In the Admin Console, go to SecurityNetworks.
  2. Click Add ZoneDynamic Zone to create a Dynamic Zone.
  3. In Zone Name, enter a name for the zone.
  4. To block the zone, select Block access from IPs matching conditions listed in this zone.
  5. In IP Type, select Tor anonymizer proxy.
  6. Click Save.

The accuracy of Tor proxy detection depends on a third-party vendor, which is used to identify IP addresses that use Tor. The proxy type is only used to evaluate whether a proxy is Tor or not.

Related topics

HealthInsight tasks and recommendations

Network zones

General Security

Blocklist network zones