Protect authorization server(s) from DoS?

(to be clear: this is precisely focused on only one thing - finding out if there are any protection mechanisms for the authentication server itself for Enterprise Okta accounts).

suppose a bad actor creates an app that floods one/all of our Okta token-validation servers with random (and therefore obviously) invalid tokens.

Since you don’t know what’s an invalid token without the server at least seeing that token, you have to at least accept the request before you can inspect/discard the token.

Does Enterprise Okta allow admins to create & maintain firewall rules so that abusive IP addresses can be blocked, and relieve the server from having to cope with a flood of validation requests?

So you mean they hit the rate limit for the authz server endpoints?

https://developer.okta.com/docs/api/getting_started/rate-limits

So you mean they hit the rate limit for the authz server endpoints?

well, that’s one aspect of it, yes. However, once the bad guys hit the rate limit, they could just keep going and block by flooding.

Now I know Okta has 1st rate services &networks, so the real question is this: does Okta Enterprise include ability for customer-company to configure firewall rules for their instance?

Okta implements IP blacklisting and other security controls to mitigate the risk of Distributed Denial of
Service (DDoS) attacks at the global router level. In addition to the controls implemented by Okta at
the global level, the service allows you to implement your own IP blacklisting rules.

1 Like