This article presents Administrators with information about Okta's Distributed Denial-of-Service (DDOS) Protections and Web Application Firewall (WAF).
- Distributed Denial-of-Service (DDOS)
- Web Application Firewall (WAF)
Okta uses AWS Shield Advanced for application-wide DDoS detection and protection against layer 3 and 4 infrastructure attacks and application layer attacks like HTTP floods. Details in What is a DDoS Attack.
Okta also uses AWS WAF for automatic filtering based on IP address, geographic blocking, or information available in the packet headers. Additional AWS protections are currently being evaluated as part of our continuous improvement efforts to protect the Okta service.
As most DDoS attacks Okta sees are targeted at a specific customer, Okta implements multiple layers of protection for customer orgs.
This is required as customers have unique use cases and usage patterns.
These protections include:
- Okta orgs. are separated, limiting the impact of any DDoS attack to only the customers in that cell.
- Inbound URL requests are filtered at the web proxy level to prevent malformed traffic from reaching Okta application servers.
- Okta implements rate limiting to prevent DoS through resource utilization.
- Application servers are separated, preventing a DoS attack against one service from affecting others.
- Customers have the ability to assign network and geo blocks to protect against attacks they detect.
- Customers can leverage Okta ThreatInsight data to detect suspicious IP addresses.
- All-access data, including IP address chain and user agent, is provided via API in near real-time for integration into the customer’s SIEM.
- Delegated Authentication soft-lock capability prevents external attackers from preventing access to internal applications.
Related References
- Visit Okta Trust for real-time information on performance, security, and compliance.
