> Has anyone created a fail2ban filter for this type of attack? As of > right now, I have manually banned a range of IP addresses but would > like to automate it for the future. > As far as I can see fail2ban only deals with hosts and not networks - I suspect the issue is what is a "network": It may be obvious to you looking at the logs that these are all related, but you run the risk that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and 1.2.0.124 may be interpreted as a concerted attack and you banning half the internet - but that may not be a bad thing :-) What I've done in times of trouble is to be a bit more aggressive in why and how hosts are banned. It depends on how you are being attacked, but setting the threshold to 1 or 2 failures resulting in a ban and then setting the ban time to something fairly short. Repeat offenders will then quickly be picked up by the recidive filter and permanently banned. A downside to this is that your firewall filters get very large and things will inevitably slow down, but it will at least give you the chance to manually block a whole range but still give you a level of automated protection. P.