Suspicious IP Throttling

Suspicious IP throttling is enabled by default for all connections. When enabled, you can customize the suspicious IP throttling policies. You can create a list of trusted IP addresses from which your users can always access your resources, and you can enable or disable email notifications to administrators.

When triggered, suspicious IP throttling will:

  • Block suspicious IP addresses for 15 minutes.

  • Send an email notification (if configured) to the account administrator(s)

If throttling is triggered, it can be removed by an administrator.

Configure IP throttling

You can configure suspicious IP throttling in the following ways:

  • Enable/disable traffic throttling from an IP address when a high number of login or signup attempts target too many accounts.

  • Configure a list of trusted IP addresses from which users can access your resources.

  • Enable/disable whether to notify account administrators by email when traffic is throttled on one or more IP addresses due to high-velocity traffic.

Auth0 strongly recommends that you do not disable suspicious IP throttling for the connection; however, you can both disable and enable it using the Dashboard.

  1. Go to Dashboard > Security > Attack Protection and select Suspicious IP Throttling.

    Dashboard Attack Protection Suspicious IP Throttling Policies

  2. Enable the switch at the top of the page.

    Enabling attack protection features without configuring response settings activates Monitoring mode, which records related events in your tenant log only. The tenant log will contain information about whether the login was determined to be risky so you can determine if you want to configure responses. To learn more read View Attack Protection Log Events.

  3. Under Response, and select Block Suspicious Logins and IP AllowList.

    1. Enable the Limit high-velocity traffic targeting too many accounts switch to throttle traffic from an IP address when there is a high number of login attempts targeting too many different accounts.

    2. Enable the Send notification to account administrator switch to send an email notification to the account administrator when traffic is throttled on one or more IP addresses due to high-velocity traffic.

    3. Under IP AllowList, add IP addresses to create a list of trusted IP addresses from which your users can always access your resources.

  4. Click Save.

Special cases

Because suspicious IP throttling depends on the IP address of the user, the following use cases require additional configuration:

Learn more