From 07448e11369ecacf4273a0570e81c47b87d547c5 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Mar 2026 23:13:48 -0500
Subject: [PATCH] CRITICAL FIX: Severity threshold off-by-one error (> should
 be >=)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug #5 (CRITICAL): Attack severity calculation used '>' instead of '>=',
causing off-by-one boundary conditions:

Before fix:
- total_syn=500 → severity=0 (should be 4!)
- total_syn=300 → severity=0 (should be 3!)
- total_syn=150 → severity=0 (should be 2!)
- total_syn=75 → severity=0 (should be 1!)

This means attacks at EXACTLY these critical thresholds were misclassified
as severity=0, resulting in:
- Wrong threshold (stays at 20 instead of 3-10)
- IPs not detected that should be
- Adaptive threshold not lowered properly

Fix: Change all conditions from > to >= to include boundary values:
- total_syn >= 500 → severity=4
- total_syn >= 300 → severity=3
- total_syn >= 150 → severity=2
- total_syn >= 75 → severity=1
- else → severity=0

Impact: Large-scale attacks at exact threshold counts now properly classified.

Example: Server with exactly 500 SYN connections
- Before: severity=0, threshold=20 (no detection)
- After: severity=4, threshold=3 (proper detection)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/security/live-attack-monitor-v2.sh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 1987292..7f8eb03 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2498,13 +2498,15 @@ monitor_network_attacks() {
                     local unique_ips=0
 
                     # Multi-tier distributed DDoS detection with adaptive learning
-                    if [ "$total_syn" -gt 500 ]; then
+                    # CRITICAL FIX: Use >= not > to include boundary values
+                    # Bug: total_syn=500 was severity 0 instead of 4 (off-by-one)
+                    if [ "$total_syn" -ge 500 ]; then
                         attack_severity=4  # Critical DDoS (new tier)
-                    elif [ "$total_syn" -gt 300 ]; then
+                    elif [ "$total_syn" -ge 300 ]; then
                         attack_severity=3  # Severe DDoS
-                    elif [ "$total_syn" -gt 150 ]; then
+                    elif [ "$total_syn" -ge 150 ]; then
                         attack_severity=2  # Major DDoS
-                    elif [ "$total_syn" -gt 75 ]; then
+                    elif [ "$total_syn" -ge 75 ]; then
                         attack_severity=1  # Moderate DDoS
                     fi
                     ATTACK_SEVERITY=$attack_severity  # Store for next iteration