I wake up this morning to a rebooted server. The DNS was running at over 100%. After a little bit of work, I got fail2ban in place to block all of those requests.
The requests themselves are valid, jut repeated hundred of times per seconds. Once the block got many (hundred) of IPs, I can see that I am blocking 1 million UDP hits every few hours.
Is that just a [D]DoS attack? (probably considered dynamic since many computers are involved and once one was blocked long enough it looks like it stops the requests)
The one other possibility I can think of is that the attacker is trying to crash the DNS and gain access when it restarts or crash the whole computer and attempt connections to other services. (i.e. in case you don’t know how to get your firewall in place before you start your services)
Since my last firewall reset, here are my stats:
Number of IPs: 473
It goes fast. Several hundred hits per second. The number of IPs doesn’t grow much, however.