diff --git a/ChangeLog b/ChangeLog
index 9e99a4f6..e0358d03 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -35,6 +35,10 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition
 * `filter.d/sshd.conf`:
   - avoid double counting for "maximum authentication attempts exceeded" (gh-3502)
   - message "Disconnecting ... Too many authentication failures" is not a failure anymore
+  - mode `ddos`/`aggressive` extended to match new messages caused by port scanner, wrong payload on ssh port (gh-3486):
+    * message authentication code incorrect [preauth]
+    * connection corrupted [preauth]
+    * timeout before authentication
 
 
 ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index e5cdee88..a954774c 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -70,12 +70,13 @@ mdre-normal =
 # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
 mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$
 
-mdre-ddos = ^Did not receive identification string from <HOST>
+mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for) <HOST>
             ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer))
             ^Bad protocol version identification '(?:[^']|.*?)' (?:from )?<HOST>%(__suff)s$
             ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
             ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
-            ^banner exchange: Connection from <HOST><__on_port_opt>: invalid format
+            ^(?:banner exchange|ssh_dispatch_run_fatal): Connection from <HOST><__on_port_opt>: (?:invalid format|(?:message authentication code incorrect|[Cc]onnection corrupted) \[preauth\])
+
 # same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address):
 mdre-ddos-other = ^<F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?\s+\[preauth\]\s*$
                   ^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>(?:%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?|\s*)$
diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index c20485d7..ed54ded4 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -325,6 +325,13 @@ Mar  1 18:59:33 hostname sshd[1189575]: error: kex_exchange_identification: bann
 # failJSON: { "time": "2005-03-01T18:59:33", "match": true , "host": "192.0.2.12", "desc": "ddos: port scanner, https payload on ssh port (banner exchange: invalid format, gh-3169)" }
 Mar  1 18:59:33 hostname sshd[1189575]: banner exchange: Connection from 192.0.2.12 port 44105: invalid format
 
+# failJSON: { "time": "2005-03-01T18:59:50", "match": true , "host": "192.0.2.13", "desc": "ddos: port scanner, wrong payload on ssh port (message authentication code incorrect [preauth], gh-3486)" }
+Mar  1 18:59:50 hostname sshd[71905]: ssh_dispatch_run_fatal: Connection from 192.0.2.13 port 33738: message authentication code incorrect [preauth]
+# failJSON: { "time": "2005-03-01T18:59:50", "match": true , "host": "192.0.2.13", "desc": "ddos: port scanner, wrong payload on ssh port (connection corrupted [preauth], gh-3486)" }
+Mar  1 18:59:50 hostname sshd[80348]: ssh_dispatch_run_fatal: Connection from 192.0.2.13 port 52452: Connection corrupted [preauth]
+# failJSON: { "time": "2005-03-01T18:59:52", "match": true , "host": "192.0.2.14", "desc": "ddos: port scanner (timeout before authentication, gh-3486)" }
+Mar  1 18:59:52 srv sshd[12345]: fatal: Timeout before authentication for 192.0.2.14 port 55555
+
 # failJSON: { "time": "2005-03-15T09:21:01", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }
 Mar 15 09:21:01 host sshd[2717]: Connection closed by 192.0.2.212 [preauth]
 # failJSON: { "time": "2005-03-15T09:21:02", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }