fail2ban 0.10.3 opensuse 15.0 We use sucicata to detect and optionally block bad actors. We recently set up a DNS server for a new domain. Said bad actors started abusing the server within a day with the DoS DNS Amplification attack. Suricata is set to block those packets. To ease the burden on Suricata which can be a CPU intensive protection, I created a jail to feedback detected DNS attacks. The attacks are tightly controlled from a large botnet; an attempt occurs almost precisely every 60 seconds. After 5 days of collecting IPs to block, the count has exceeded 10,000, and there is no change in the attack rate implying excellent CnC and lots of IPs. iptables does not seem to find this troublesome.
So. Is this a case where fail2ban is not an especially useful solution to the problem? Or are 1000s of blocked IPs not uncommon? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
