I don’t understand the mechanism for releasing time-based restrictions in Suspicious IP throttling. According to the documentation, it states that if the Throttling rate is set to 100, a previously blocked IP will be able to perform a new login after 15 minutes. I believed that after 15 minutes, the blocked IP would have its restrictions lifted, and as long as the login attempts didn’t exceed the Maximum Attempts set, it would be possible to log in without any issues.
However, when I conducted a test by deliberately failing to log in immediately after the 15 minutes had passed, the IP was blocked again upon the second login failure. This behavior is different from what I had anticipated, and I’m now unsure about the appropriate configuration for the ‘suspicious IP throttling’ setting in our application.
I would appreciate it if someone could explain the precise behavior of the Throttling rate in Suspicious IP throttling and why the IP was blocked on the second login failure immediately after 15 minutes had passed.
Sure I can help you with that! Let me try to connect with the team behind this feature to get a more precise understanding about this:
Will get back to you shortly!
The disconnect is that not all restrictions are lifted from that IP, instead what happens is that after 15 minutes a new attempt (token) is granted for that IP
The throttle rate determines how fast those tokens refill the “virtual bucket” of attempts. This example was provided in the docs.
For example, a throttling rate of 100 means that Auth0 grants a new attempt approximately every 15 minutes. The throttle rate determines how fast these tokens are refilled over 24 hours.
Thank you for the investigation and response.
I was able to understand the concept of Throttling rate.
If the Throttling rate is set to 100, it means that the block is not automatically lifted after approximately 15 minutes. Instead, you are allowed one login attempt, and after about 30 minutes, one additional login attempt is granted.
To confirm, only failed login attempts are subject to Suspicious IP throttling, and successful logins are not affected by Suspicious IP throttling.
Is my understanding correct?