Suspicious IP Throttling

Suspicious IP throttling is enabled by default for all connections. When enabled, you can customize the suspicious IP throttling policies, including changing the threat threshold that triggers throttling, creating a list of trusted IP addresses from which your users can always access your resources, and enabling or disabling email notifications to administrators.

When triggered, suspicious IP throttling will:

Block suspicious IP addresses for 15 minutes.
Send an email notification (if configured) to the account administrator(s)

If throttling is triggered, it can be removed by an administrator.

You can configure suspicious IP throttling in the following ways:

Enable/disable traffic throttling from an IP address when a high number of login or signup attempts target too many accounts.
Configure a list of trusted IP addresses from which users can access your resources.
Enable/disable whether to notify account administrators by email when traffic is throttled on one or more IP addresses due to high-velocity traffic.

Auth0 strongly recommends that you do not disable suspicious IP throttling for the connection; however, you can both disable and enable it using the Dashboard.

Go to Auth0 Dashboard > Security > Attack Protection, and select Suspicious IP Throttling.
Enable the switch at the top of the page.

Enabling attack protection features without configuring response settings activates Monitoring mode, which records related events in your tenant log only. The tenant log will contain information about whether the login was determined to be risky so you can determine if you want to configure responses.
Under Response, and select Block Suspicious Logins and IP AllowList.
1. Enable the Limit high-velocity traffic targeting too many accounts switch to throttle traffic from an IP address when there is a high number of login attempts targeting too many different accounts.
2. Enable the Send notification to account administrator switch to send an email notification to the account administrator when traffic is throttled on one or more IP addresses due to high-velocity traffic.
3. Under IP AllowList, add IP addresses to create a list of trusted IP addresses from which your users can always access your resources.
Click Save.

Because suspicious IP throttling depends on the IP address of the user, the following use cases require additional configuration:

Using the Resource Owner Password Grant from the backend of an application: Using this call does not get the IP address of the user; however, to make suspicious IP throttling work correctly, you can configure your application to send the IP address of the user as part of the request. See Avoid Common Issues with Resource Owner Password Flow and Attack Protection: Send the user's IP address from your server.
Authenticating a large number of users from the same IP address: Users who are behind a proxy are more likely to reach set limits and trigger throttling. You can avoid erroneously triggering throttling by configuring an AllowList for the proxy's IP and CIDR range. See Avoid Common Issues with Resource Owner Password Flow and Attack Protection: Configure your Application to trust the IP address.

Docs