Problem statement
Suspicious IP Throttling Attack protection is not getting triggered. The tenant logs show many errors for the specific IPs including:
“description”: “Missing required parameter: response_type”.
Solution
Suspicious IP Throttling protections exist as a layer of defense against credential stuffing style attacks (along with our Bot Detection). They specifically prevent a single IP from having an unbounded number of username/password checks when they continue to fail.
In the case of an invalid grant or response type, the username/password is never actually checked. The request is rejected based on schema definitions for that endpoint. This means that no information about the correctness of the credentials is ascertained and, therefore, Suspicious IP Throttling protections do not fire.