Block list proxies with high sign-in failure rates

Tor is open-source software used to enable anonymous communication and hide the location of end users. The software provides user anonymity, but it is often used by attackers to perform malicious activities. Okta enables admins to use Dynamic Zones to block list IPs that are categorized as Tor anonymizer proxies (Tor exit nodes).

HealthInsight task recommendation

Create policies to prevent or block logins from IPs with high rates of login failure. Okta provides admins with information about the IP address of each login, including proxy type.

Okta Recommends	Create a new Dynamic Zone for IPs that are categorized as Tor anonymizer proxies and block access. See Configure a Dynamic Zone to block anonymizer proxies.
Security impact	Moderate
End-user Impact	Low When the failed sign-in rate decreases to below 50%, the HealthInsight recommendation moves from the Incomplete tab to the Complete tab. This may take a few days after you configure the block list settings.

System Log query

Admins can run the following query in the System Log page, to view a list of all failed sign-in attempts that originated from IPs categorized as Tor anonymizer proxies.

eventType eq "user.session.start" and outcome.result eq "FAILURE" and debugContext.debugData.proxyType eq "tor"

Configure a Dynamic Zone to block anonymizer proxies

Okta enables admins to use Dynamic Zones to block list IPs that are categorized as Tor anonymizer proxies (Tor exit nodes).

1. From the Admin Console, navigate to Security > Networks.
2. Click Add Zone > Dynamic Zone to create a new Dynamic Zone.
3. In Zone Name, enter a name for zone.
4. To block list the zone, select Block access from IPs matching conditions listed in this zone.
5. In IP Type, select Tor anonymizer proxy.
6. Click Save.

Related topics

HealthInsight tasks and recommendations

About Network Zones

General Security

Block list Network Zones