cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL FIX: Severity threshold off-by-one error (> should be >=)

Browse Source 
Bug #5 (CRITICAL): Attack severity calculation used '>' instead of '>=',
causing off-by-one boundary conditions:

Before fix:
- total_syn=500 → severity=0 (should be 4!)
- total_syn=300 → severity=0 (should be 3!)
- total_syn=150 → severity=0 (should be 2!)
- total_syn=75 → severity=0 (should be 1!)

This means attacks at EXACTLY these critical thresholds were misclassified
as severity=0, resulting in:
- Wrong threshold (stays at 20 instead of 3-10)
- IPs not detected that should be
- Adaptive threshold not lowered properly

Fix: Change all conditions from > to >= to include boundary values:
- total_syn >= 500 → severity=4
- total_syn >= 300 → severity=3
- total_syn >= 150 → severity=2
- total_syn >= 75 → severity=1
- else → severity=0

Impact: Large-scale attacks at exact threshold counts now properly classified.

Example: Server with exactly 500 SYN connections
- Before: severity=0, threshold=20 (no detection)
- After: severity=4, threshold=3 (proper detection)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-03-06 23:13:48 -05:00
parent 8f61919361
commit 07448e1136
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+6 -4
View File
@@ -2498,13 +2498,15 @@ monitor_network_attacks() {
local unique_ips=0
# Multi-tier distributed DDoS detection with adaptive learning
if [ "$total_syn" -gt 500 ]; then
# CRITICAL FIX: Use >= not > to include boundary values
# Bug: total_syn=500 was severity 0 instead of 4 (off-by-one)
if [ "$total_syn" -ge 500 ]; then
attack_severity=4 # Critical DDoS (new tier)
elif [ "$total_syn" -gt 300 ]; then
elif [ "$total_syn" -ge 300 ]; then
attack_severity=3 # Severe DDoS
elif [ "$total_syn" -gt 150 ]; then
elif [ "$total_syn" -ge 150 ]; then
attack_severity=2 # Major DDoS
elif [ "$total_syn" -gt 75 ]; then
elif [ "$total_syn" -ge 75 ]; then
attack_severity=1 # Moderate DDoS
fi
ATTACK_SEVERITY=$attack_severity # Store for next iteration