Okta administrators configure a Dynamic Zone to block network traffic based on the IP address type to mitigate password spray attacks. Attackers often use random anonymizer proxy IP addresses to execute these attacks. Creating a Dynamic Zone that blocks specific IP types, such as Tor anonymizer proxies, prevents unauthorized access and secures user accounts.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Network Zones
• Proxies
• Password Spray Attack

Malicious actors use random anonymizer proxy IP addresses to execute password spray attacks against user accounts.

What are the steps to configure a Dynamic Zone that blocks specific IP types?

Navigate to the Networks section in the Okta Admin Console, add a new Dynamic Zone, and configure the IP type settings to block access from anonymizer proxies.

1. In the Okta Admin Console, navigate to Security > Networks.
2. Select Add Zone, and then choose Dynamic Zone.
3. Enter a name for the zone.
4. Select the Block access from IPs matching conditions listed in this zone checkbox.
   
5. For IP type, select Any, Any Proxy, Tor anonymizer proxy, or Not Tor anonymizer proxy.
   NOTE: The Dynamic Zone blocks any incoming traffic from proxy IPs that match the selected type. The accuracy of Tor proxy detection depends on a third-party vendor, which identifies IP addresses that use Tor. Okta uses the proxy type only to evaluate whether a proxy is Tor or not.
6. Select Save.

Related References

• Block IP Address based on IP Service Category using Enhanced Dynamic Network Zone
• How are the Proxy IPs in the Network Zones used in Okta
• Blocklist proxies with high sign-in failure rates