benjamin.l.campbell (numo LLC) asked a question.
Apologies for the wall of text before the question, but context is important here.
I've discovered some differences with functionality in terms of network zone blocking. I've been experiencing frequent bot-like attempts to access a specific user from what reports as a Chinese IP Address. I'm not located in China, but block all traffic from outside my country. To accomplish this, I set up dynamic zones of the entire world except my country and set it to block. Then, I set my country as allow to then apply behavioral capability.What I find is that from a user-perspective, the behavior is different when using dynamic zone blocking as opposed to static zones (specific IPs, IP Ranges, or CIDR Ranges). When blocking with static zones, the end user sees 403 errors when attempting to browse to the Okta login page. When using dynamic zones, the end user always sees the same "login failed" message regardless of what is typed for authentication (wording is slightly different - maybe sign-in failed, etc.) However, one difference is that while users cannot log in, their sign-in attempts are weighed against at least some policy. One area that's troublesome to me is bad password attempts are logged in Okta. It's not reported to the user, but it is still logged. This means that a denial of service attack is still possible against Okta users when using dynamic zone blocking (which is the only real option for effective geolocational / network-based authentication security.)
Now to my question: How are the other Okta admins / security architects effectively blocking country / region in Okta Network Zones?
