A malicious actor using a specific IP address to attack an organization causes rate limit violations or user lockouts. Resolve this issue by creating a Network Zone in Okta to block the specific IP address from accessing the organization. When this issue occurs, the System Log displays the following messages:
Okta Rate Limit Warning
Okta Rate Limit Reached
Okta Burst Rate Limits Activated
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Network Zones
- Security
A malicious actor uses a specific IP address to attack the organization, which results in rate limit violations or user lockouts.
How is a specific IP address blocked using Okta Network Zones?
Identify the malicious IP address from the System Log and configure an IP Zone in the Okta Admin Console to block access.
- Identify the IP address of the threat actor from the Rate Limits dashboard or the System Log.
- Navigate to the Okta Admin Console.
- Go to Security > Networks.
- Select Add zone and choose IP Zone.
- Enter a descriptive Zone name, such as "IP Addresses Blocked From Accessing Organization".
- Select the checkbox for Block access from IPs matching conditions listed in this zone.
- In the Gateway IPs field, enter the IP address identified in the first step.
- Select Save.
NOTE: When Okta blocks an IP address, the System Log records the following event: security.request.blocked Blocked request from IP.
