[Fail2ban-users] Fail2ban DDoSed while receiving a DNS DDoS

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi there.

I discovered a serious problem in fail2ban, making it propense to DDoS,
and stop banning anymore.

Since yesterday, my personal server was under a DNS cache DDoS attack,
but despite fail2ban was configured, it was not efectivelly stopping
that attack.

After some research I discovered the cause, and thus, I am posting it
to here providing feedback for it to be fixed.

I had fail2ban mailing me with every ban it created. The problem: If it
is under a heavy attack, there is little to none upload bandwitdh left
for sendmail, and fail2ban waits for sendmail in order to process the
next bans.

I came to know that because while tailing log files by hand and
watching at the number of attacks per second, and watching that my
upload bandwidth was exhausted, a ps -Af revealed that sendmail was
waiting to finish, and fail2ban only banned 2 or 3 IPs from at least 50
which were participating in that moment.

I think this is a very serious issue which needs to be fixed asap, and
make it do its actions asynchronously by default.

The workarround I used was to modify mail-buffered.conf action to use
sendmail, and it successfully banned every IP participating in the
event.

Yet still, it is annoying since I'd like to receive notification in
that moment, rather than waiting to XX different IPs to receive the
notification.

What about this issue?

P.S. I am posting to the list as I could not find official bugzilla to
post this there.

Thanks,

Awaiting feedback,

David.