David, I believe this is part of the adaptive MFA product (at least for us, it showed up once we got some licenses for that product). It's called a Dynamic Zone. If you go to Security -> Networks and you have the ability to Add Zone, see if Dynamic Zone is there. Once you create the zone you can use it in policies elsewhere OR you can check the "Blacklist IPs from this zone" to immediately stop those countries from logging in. Blacklisting is the only way to stop the "DDOS" by account lockouts in AD. If you try to use them in other policies for logging in to Okta or particular applications, the lockouts will continue. See my question below regarding Dynamic Geo-Location Zones and AD Account Lock-outs.
Hi David, TeDeryl here with Okta Support. To provide the best guidance on this issue, I would suggest to open a case with our support team. We do have a feature flag that can help with Geo-Location blocking. This feature will prevent access from any other country than the one's selected for access. I have also added our documenation on 'Networks' for review if needed. https://help.okta.com/en/prod/Content/Topics/Security/Security_Network.htm