Over the last 3 days we have had a surge of DNS amplification attacks. We use fail2ban to ban IPs that dare to trespass. Previously there were about 200 IPs banned, and it was a fairly steady count over the ban time.
Then this surge… Every 1 minute there is a new IP trying the attack. The count has risen to 4200 IPs banned and no end in sight.
Is this type of event “normal”?
01/24/2021-10:38:13.037029 [Drop] [] [1:2016016:8] ET DOS DNS Amplification Attack Inbound [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 107.179.200.154:35523 → 192.168.69.246:53