Getting started with Dynamic IP Blocking

Back to Blog
September 15, 2020
Dusan Vitek

By Dusan Vitek, Director, Product Marketing, SecureAuth

SecureAuth is introducing a new attack detection engine – Dynamic IP Blocking. The new technology is the latest security innovation from SecureAuth, further strengthening the first line of defense to protect authentication endpoints.

Introduced in mid-2020, SecureAuth Dynamic IP Blocking temporarily blocks IP addresses used by bad actors to generate a password spraying attack against the platform. Similar to the principles used in a modern IDS/IPS Unified Threat Management system, Dynamic IP Blocking incorporates a proprietary pattern recognition algorithm to detect and mitigate attacks without user or admin intervention.

A First Line of Defense Against Attacks

Password spraying is a low-speed and particularly dangerous password attack method often performed against single sign-on (SSO) and cloud-based authentication portals. You can think of password spraying as a reverse brute-force attack. Bad actors use a unique password against a myriad of user account names hoping to breach that single account.

In a brute-force password attack, the malicious hacker rapidly progresses through a combination of a single username paired with dozens of potential common passwords with the hope of compromising the account. In the password spraying attack, the hacker tries thousands of usernames with the same password before moving on to a second password.

The danger of the password spraying attack lies in the fact that the attack is slow against each individual username with long delays between each login attempt. Therefore, the hacker can avoid triggering the failed login attempt detection (also known as SecureAuth Password Throttling) and run the attack undetected.

SecureAuth Dynamic IP Blocking technology prevents the originating IP address from submitting requests after a specified number of failed login attempts using different usernames within a specified period of time. Instead of locking user accounts, it blocks login attempts coming from the IP address.

It’s worth noting that Dynamic IP Blocking works for both legacy clients (installable software using WS-Trust) and modern clients such as web apps using SAML.

How to Configure Dynamic IP Blocking

To use Dynamic IP Blocking, go to your SecureAuth Identity Platform Administration Console. First, set the length of time to block the IP address after a set number of failed attempts. Your setting will apply to login workflows in all policies. Then, you add the Dynamic IP Blocking rule in each policy.

You can add allowed IP addresses that apply to all policies and in a specific policy. IP addressed added to this list will never be blocked, no matter how many failed attempts occur.

  1. On the left side of the Identity Platform page, click IP Filtering. Note that the settings you define here apply to all policies.

  1. Set the length of time to block associated IP addresses after a specified number of failed login attempts. (The numbers in the line after the Block button are clickable links.)Options include:
  • Length of time – 12, 24, 36, 48, or 72 hours
  • Number of failed login attempts – 5,10, 15, 20, and 25
  1. To allow certain IP addresses, click Set IP addresses link and enter IP addresses, separated by a comma. Note: IP addresses can only be in IPv4 format.
  2. Next, open a policy and go to the Blocking Rules tab and add Dynamic IP Blocking as a new rule.

Dynamic IP Blocking is included in select SecureAuth subscription plans and is shipping with the SecureAuth virtual appliances version 20.06 and later for hybrid cloud deployments.


Blog series
SecureAuth Introduces Dynamic IP Blocking Technology to Prevent Password Spray Attacks

Learn more
Follow us on Twitter at @SecureAuth, on LinkedIn at and or bookmark our blog at

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Recorded Webinars

Analyst Reports

Innovation Labs


Support Portal

Events & Webinars



Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth