> > > > > As far as I can see fail2ban only deals with hosts and not networks - I > > suspect the issue is what is a "network": It may be obvious to you > > looking at the logs that these are all related, but you run the risk > > that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and > > 1.2.0.124 may be interpreted as a concerted attack and you banning half > > the internet - but that may not be a bad thing :-) > > > > Since you can configure fail2ban to invoke scripts, I would think it > would be possible to get it to block CIDRs (variable size subnets, i.e. > 12.12.0.0/20). That said, I don't have a quick and easy implementation > on hand. The OP was looking for an automated way of fail2ban doing it - he had already sorted out the network range and had stopped this particular DoS attack. P.