We check for different types of attacks on our colocated server and ban the offending IP addresses for increasing amounts of time as the attacks continue. For instance, let’s say you’ve been trying to guess VPN accounts, which each generate an error. If you cross a threshold of say, 10 attempts, the IP address will be firewalled for a while. Once that time is up, the IP address can then access the system again. After another number of attacks, the firewall rules kick in again and the IP is blocked for a longer time than the previous ban. Most of these attacks drop off after they’ve been firewalled a few times.
However, we’ve had a very persistent attacker that has been trying to get through for weeks, but only attempts every few minutes. I saw the address come up a few times in the reports, but it didn’t really catch my attention until I saw how high the number of attempts had become (every few minutes for a few weeks adds up). I then noticed that the IP was not actually being banned each time. In other words, the program was banning an IP address, but the attempts kept coming through. What that means is the IP address being banned was not the actual IP address being used by the attack. It was being spoofed.
I went with the assumption that they were spoofing one of their own addresses, meaning they have a couple systems and were using one to spoof the IP of another. So, I set the firewall to ban all addresses in the same block of addresses as the IP. And, it worked. As soon as I banned the block, the attacks stopped.
So, I just need to make a little address map for these lovely folks. If they are coming from any address within a block, the entire block gets banned.