> I'm wondering what to do in case of future attacks like this. I'm using a fail2ban+ipsets to catch these quickly & ban them efficiently. Works well. Simply use a regex like in those grep commands to match.
Make sure you test your matches -- using a combo or online regex tester & fail2ban-regex works for me. On smaller boxes I manage runaway logs, getting over-filled by anything I missed, with a logrotate policy that compressed at size limits. If it's still a problem, move the logs to a remote as they rotated, and/or use remote real-time logging. Jason
