I am experiencing what I believe is a DNS amplification attack on my bind9 DNS server. I'm seeing very of the following on different IPs 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ [1au] ANY? USADF.GOV. (38) My server responds 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 Refused- 0/0/1 (38) I imagine the IPs are spoofed. I have installed fail2ban in order to address the problem. Various howtos detail how to configure bind to log to /var/log/named/security.log and setup fail2ban. The security.log is filling nicely with lots of "29-Aug-2018 20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV): query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating "Jail 'named-refused' started" but it never actually bans an IP. 2) I used fail2ban-regex to test the security.log line against fail2bans named-refused regex, but its doesn't match! So I have to conclude either debian bind9 changed the log output or fail2ban git it wrong. I'm using the latest fail2ban from debian. Has anyone else got this to work? -- Michael Galea