cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync v2 with multi-tier distributed DDoS enhancements

Browse Source
This commit is contained in:
cschantz
2025-12-24 20:01:27 -05:00
parent e1a6d0a6be
commit 198abeb564
1 changed files with 44 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+44 -9
View File
@@ -2224,13 +2224,39 @@ monitor_network_attacks() {
if command -v ss &>/dev/null; then if command -v ss &>/dev/null; then
# Get total SYN_RECV count for distributed attack detection # Get total SYN_RECV count for distributed attack detection
local total_syn=$(ss -tn state syn-recv 2>/dev/null | wc -l) local total_syn=$(ss -tn state syn-recv 2>/dev/null | wc -l)
local distributed_attack=0 local attack_severity=0
local unique_ips=0
# Distributed DDoS detection: Many IPs with small counts # Multi-tier distributed DDoS detection
if [ "$total_syn" -gt 100 ]; then if [ "$total_syn" -gt 300 ]; then
distributed_attack=1 attack_severity=3 # Severe DDoS
elif [ "$total_syn" -gt 150 ]; then
attack_severity=2 # Major DDoS
elif [ "$total_syn" -gt 75 ]; then
attack_severity=1 # Moderate DDoS
fi fi
# Count unique attacker IPs and track /24 subnets
declare -A subnet_counts
local attacker_ips=$(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u)
while IFS= read -r attacker_ip; do
[ -z "$attacker_ip" ] && continue
((unique_ips++))
# Track /24 subnets to detect coordinated attacks
local subnet=$(echo "$attacker_ip" | cut -d. -f1-3)
((subnet_counts[$subnet]++))
done <<< "$attacker_ips"
# Coordinated botnet detection: 3+ IPs from same /24
local coordinated_attack=0
for subnet in "${!subnet_counts[@]}"; do
if [ "${subnet_counts[$subnet]}" -ge 3 ]; then
coordinated_attack=1
break
fi
done
# Count SYN_RECV connections per IP (sign of SYN flood) # Count SYN_RECV connections per IP (sign of SYN flood)
while read -r ip count; do while read -r ip count; do
# Skip local/private IPs first # Skip local/private IPs first
@@ -2244,12 +2270,21 @@ monitor_network_attacks() {
# Track connection count for this IP # Track connection count for this IP
CONNECTION_COUNT[$ip]=$count CONNECTION_COUNT[$ip]=$count
# Dynamic threshold based on attack type: # Dynamic threshold based on attack severity:
# - Normal: >20 connections (focused attack) # Tier 0: >20 connections (normal, focused attack)
# - Distributed DDoS: >5 connections (botnet) # Tier 1: >8 connections (75-150 total, moderate DDoS)
# Tier 2: >5 connections (150-300 total, major DDoS)
# Tier 3: >3 connections (300+ total, severe DDoS)
local threshold=20 local threshold=20
if [ "$distributed_attack" -eq 1 ]; then case "$attack_severity" in
threshold=5 # Lower threshold during distributed attacks 3) threshold=3 ;; # Severe: Very aggressive
2) threshold=5 ;; # Major: Aggressive
1) threshold=8 ;; # Moderate: Balanced
esac
# Coordinated attack bonus: Lower threshold by 2
if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then
threshold=$((threshold - 2))
fi fi
if [ "$count" -gt "$threshold" ]; then if [ "$count" -gt "$threshold" ]; then