{
	"id": "23ed6f26-534f-4981-b519-516d5a80a74a",
	"created_at": "2026-04-06T00:22:32.01959Z",
	"updated_at": "2026-04-10T13:11:41.191021Z",
	"deleted_at": null,
	"sha1_hash": "4b79e81720e831d419b952de303f0e8ec27c5c44",
	"title": "How to Block Anonymizing Services using Okta",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58928,
	"plain_text": "How to Block Anonymizing Services using Okta\r\nBy Moussa Diallo and Brett Winterford\r\nPublished: 2024-04-27 · Archived: 2026-04-05 14:25:23 UTC\r\nOver the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks\r\ntargeting online services, facilitated by the broad availability of residential proxy services, lists of previously\r\nstolen credentials (“combo lists”), and scripting tools.\r\nFrom March 18, 2024 through to April 16, 2024, Duo Security and Cisco Talos observed large-scale brute\r\nforce attacks on multiple models of VPN devices.\r\nFrom April 19, 2024 through to April 26, 2024, Okta’s Identity Threat Research team observed a spike in\r\ncredential stuffing activity against user accounts from what appears to be similar infrastructure.\r\nIn credential stuffing attacks, adversaries attempt to sign-in to online services using large lists of usernames and\r\npasswords obtained from previous data breaches of unrelated entities, or from phishing or malware campaigns.\r\nAll recent attacks we have observed share one feature in common: they rely on requests being routed through\r\nanonymizing services such as TOR. Millions of the requests were also routed through a variety of residential\r\nproxies.\r\nWhat is the Tor Network?\r\nTor (The Onion Router) provides its users a method of sending requests to web sites in which the originating\r\nsource IP address of the request is obscured. Tor relies on the relay of messages across an overlay network of\r\n“onion routers”, each of which can only observe the IP of the preceding node and the next node in the\r\ncommunication. While Tor has legitimate uses, it is routinely used to conceal the real IP address of attackers.\r\nWhat are Residential Proxies?\r\nResidential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber.\r\nProviders of residential proxies effectively rent access to route authentication requests through the computer,\r\nsmartphone or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of\r\nthe traffic.\r\nResidential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes\r\na user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into\r\ntheir device in exchange for payment or something else of value. At other times, a user device is infected with\r\nmalware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet.\r\nMore recently, we have observed a large number of mobile devices used in proxy networks where the user has\r\ndownloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the\r\nhttps://sec.okta.com/blockanonymizers\r\nPage 1 of 7\n\ndevelopers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any\r\nuser running the app in a residential proxy network.\r\nThe net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from\r\nthe mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. For more\r\ninformation on residential proxy services, we recommend this informative summary by CERT Orange\r\nCyberdefense and Sekoia.\r\nBlock it at the Edge\r\nOne of the key tenets of the Okta Secure Identity Commitment is to champion customer security best practices.\r\nWe are committed to raising the bar for default security features in our platforms.\r\nIn February 2024, Okta released a well-timed capability into the Okta Platform that detects and blocks requests\r\nfrom anonymizing services.\r\nOrganizations that wish to deny access from specific anonymizers, and allowlist others, must first be licensed to\r\nuse Dynamic Zones, which is included in the Adaptive MFA SKU).\r\nCustomers using Auth0 should consider the Attack Protection Suite, and consider the other recommendations in\r\nthe table below.\r\nModern Defenses, Built into the Identity Platform\r\nThe unprecedented scale of these attacks has provided clear insights into the controls most effective against\r\ncredential stuffing.\r\nThreatInsight, Okta’s built-in control against high volume attacks, blocks requests from IPs involved in large scale\r\ncredential based attacks prior to authentication.\r\nThe small percentage of customers where these suspicious requests proceeded to authentication shared similar\r\nconfigurations: The Org was nearly always running on the Okta Classic Engine, ThreatInsight was configured in\r\nAudit-only mode (not Log and Enforce mode), and Authentication policies permitted requests from anonymizing\r\nproxies.\r\nCustomers using Okta Identity Engine that (a) enabled ThreatInsight in log and enforce mode and (b) deny access\r\nrequests from anonymizing proxies were protected from these opportunistic accounts. These basic features are\r\navailable in all Okta SKUs. Upgrading to Okta Identity Engine is free, often highly automated, and provides\r\naccess to a range of features including CAPTCHA challenges for risky sign-ins and passwordless authentication\r\nusing Okta FastPass.\r\nBroader Recommendations\r\nWe recommend Okta customers practice defense in depth to mitigate the risk of account takeovers from credential\r\nstuffing attacks.\r\nhttps://sec.okta.com/blockanonymizers\r\nPage 2 of 7\n\nRecommendation\r\nOkta Workforce Identity\r\nand Customer Identity\r\nAuth0\r\n1.  Embrace Passwordless \r\nRequire\r\nOkta FastPass\r\nand\r\nFIDO2 WebAuthn\r\nSupport\r\nPassKeys\r\nas a preferred sign-in method\r\n2.\r\nPrevent users from making\r\npoor password choices\r\nRequire 12 chars and no parts\r\nof username in\r\nPassword Policy\r\n. Block passwords found in\r\ncommon password list\r\nEnable\r\nBreached Password Protection\r\nor\r\nCredential Guard\r\nto prevent use of passwords known\r\nto have been breached in 3P sites\r\n3. Enforce MFA on sign-in\r\nRequire MFA in Global\r\nSession Policies\r\nRequire MFA for Password\r\nAuthentication flows\r\n4.\r\nDeny requests from locations\r\nwhere your organization does\r\nnot operate\r\nUse\r\nNetwork Zones\r\nto block requests prior to\r\nauthentication\r\nDeny access by location using a\r\nWAF or via the Country-based\r\nAccess Control\r\nAction\r\n5.  Deny authentication requests\r\nfrom IPs with poor reputation\r\nDeny requests made via\r\nanonymizing services via\r\nDynamic Network Zones\r\nConfigure\r\nThreatInsight\r\nin\r\nUse\r\nSuspicious IP Throttling\r\nto slow down login attempts from\r\nsuspicious IPs\r\nUse\r\nBot Protection\r\nhttps://sec.okta.com/blockanonymizers\r\nPage 3 of 7\n\nlog and enforce\r\nmode to deny attempts based\r\non the volume and velocity of\r\nfailed requests from an IP\r\nRequire\r\nCAPTCHA\r\nchallenges on high risk logins\r\nto present CAPTCHA challenges to\r\nrequests from suspicious IPs\r\nUse 3P\r\nAuth0 Actions\r\nintegrations to check if an IP is\r\nassociated with an anonymizing\r\nproxies \r\n6.\r\nMonitor for and respond to\r\nanomalous sign-in behavior\r\nEnforce per-user\r\nAccount Lockout\r\n. Exempt requests from\r\ndevices that have successfully\r\nauthenticated\r\nMonitor for\r\nThreatInsight\r\nevents and rate limit\r\nviolations \r\nUse\r\nBrute-force Protection\r\nto block and lockout accounts\r\nsubject to persistent failed\r\nauthentication requests \r\nMonitor for sign-in events using\r\ninvalid usernames/non-existent\r\nusers and/or previously breached\r\npasswords\r\nTTPs used in Recent Attacks\r\nTop 20 ASNs\r\nAutonomous System Number Network Provider\r\n53667  FranTech Solutions\r\n62744  Quintex Alliance Consulting\r\n60729  Stiftung Erneuerbare Freiheit\r\nhttps://sec.okta.com/blockanonymizers\r\nPage 4 of 7\n\n1101 SURF B.V.\r\n210558  1337 Services GmbH\r\n197540  netcup GmbH\r\n16276  OVH SAS\r\n60404  Liteserver\r\n210644  AEZA INTERNATIONAL LTD\r\n399532  Universal Layer LLC\r\n200651  FlokiNET ehf\r\n44925 1984 ehf\r\n51396 Pfcloud UG\r\n4224  The Calyx Institute\r\n51852 Private Layer INC\r\n56655 TerraHost AS\r\n36352 HostPapa\r\n208323 Foundation for Applied Privacy\r\nhttps://sec.okta.com/blockanonymizers\r\nPage 5 of 7\n\n63949 Akamai Connected Cloud\r\n41281 KeFF Networks Ltd\r\nUser Agent\r\nMozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0\r\nRelevant System Log Queries: The Okta Platform\r\nEvent System Log Query\r\nThreatInsight has Detected Access Requests\r\nfrom IPs Associated with Suspicious\r\nBehavior\r\neventType eq \"security.threat.detected\"\r\nSuspected Brute Force Attack (T1110.001)\r\neventType eq \"security.threat.detected\" AND outcome.reason\r\neq \"Login failures\"\r\nSuspected Credential Stuffing Attack\r\n(T1110.004)\r\neventType eq \"security.threat.detected\" AND outcome.reason\r\nco \"Login failures with high unknown users count\"\r\nSuspected Password Spray Attack\r\n(T1110.003)\r\neventType eq \"security.threat.detected\" AND outcome.reason\r\nco \"Password Spray\"\r\nTargeted Brute Force Attack against a\r\nSpecific Org\r\neventType eq \"security.attack.start\"\r\nRelevant System Log Queries: The Auth0 Platform\r\nEvent Log Query\r\nhttps://sec.okta.com/blockanonymizers\r\nPage 6 of 7\n\nFailed login request f\r\nFailed login: Invalid username/email address fu\r\nFailed login: Invalid password fp\r\nLogin attempt from a known leaked password pwd_leak\r\nSignup (registration) attempt from a leaked password signup_pwd_leak\r\nIP address blocked: excessive failed login or registration requests without a successful\r\nlogin\r\nlimit_mu\r\nUser account lockout: excessive failed login requests per time period from the same IP\r\naddress\r\nlimit_sul\r\nIP address blocked: excessive failed login attempts to a single user account limit_wc\r\nBrett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly\r\nrelevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was\r\npreviously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and\r\ntechnology leaders in the region on all things identity.\r\nPrior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness\r\nand education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews\r\nAustralia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial\r\nReview and the Sydney Morning Herald.\r\nSource: https://sec.okta.com/blockanonymizers\r\nhttps://sec.okta.com/blockanonymizers\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sec.okta.com/blockanonymizers"
	],
	"report_names": [
		"blockanonymizers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434952,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b79e81720e831d419b952de303f0e8ec27c5c44.pdf",
		"text": "https://archive.orkl.eu/4b79e81720e831d419b952de303f0e8ec27c5c44.txt",
		"img": "https://archive.orkl.eu/4b79e81720e831d419b952de303f0e8ec27c5c44.jpg"
	}
}