Blocklist proxies with high sign-in failure rates
Tor is open-source software used to enable anonymous communication and hide the location of end users. The software provides user anonymity, but it's often used by attackers to perform malicious activities. A Dynamic Zone let you block IP addresses that are categorized as Tor anonymizer proxies (Tor exit nodes).
HealthInsight task recommendation
Create policies to block sign-in attempts from IP addresses with high rates of failure. Okta provides information about the IP address of each sign-in attempt, including proxy type.
| Okta recommends |
Create a Dynamic Zone for IPs that are categorized as Tor anonymizer proxies and block access. See Create and configure a Dynamic Zone. |
| Security impact |
Moderate |
| End user impact |
Low When the failed sign-in rate decreases to below 50%, the HealthInsight recommendation moves from the Incomplete tab to the Complete tab. This might take a few days after you configure the blocklist settings. |
System Log query
You can run the following query in the System Log page to view a list of all failed sign-in attempts that originated from IP addresses categorized as Tor anonymizer proxies.
eventType eq "user.session.start" and outcome.result eq "FAILURE" and debugContext.debugData.proxyType eq "tor"
Configure a Dynamic Zone to block anonymizer proxies
You can use a Dynamic Zone to block IPs that are categorized as Tor anonymizer proxies (Tor exit nodes).
-
In the Admin Console, go to .
- Click to create a Dynamic Zone.
- In Zone Name, enter a name for the zone.
- To block the zone, select Block access from IPs matching conditions listed in this zone.
- In IP Type, select Tor anonymizer proxy.
- Click Save.
The accuracy of Tor proxy detection depends on a third-party vendor, which is used to identify IP addresses that use Tor. The proxy type is only used to evaluate whether a proxy is Tor or not.