From 2e176aa310abe3d740ea685902f6566fea2cb346 Mon Sep 17 00:00:00 2001 From: cschantz Date: Wed, 24 Dec 2025 20:44:48 -0500 Subject: [PATCH] Add 5 advanced SYN flood intelligence metrics for better attacker detection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New SYN-Specific Intelligence Metrics: 1. PURE-SYN DETECTION (+20 points) - IP has 5+ SYN_RECV but 0 ESTABLISHED connections - Legitimate users always complete some handshakes - Pure SYN = 100% attack traffic, no legitimate use - Tag: PURE-SYN 2. SYN/ESTABLISHED RATIO ANALYSIS (+10-15 points) - Normal: More ESTABLISHED than SYN_RECV - Suspicious: 2:1 or 3:1 SYN_RECV:ESTABLISHED ratio - 3:1 ratio: +15 points - 2:1 ratio: +10 points - Tag: BAD-RATIO 3. REPEATED SYN WITHOUT COMPLETION (+15 points) - IP detected 2+ times with SYN floods - BUT never has any ESTABLISHED connections - Indicates bot that never completes handshakes - Filters out transient network issues 4. SPOOFED SOURCE IP DETECTION (+20 points) - High SYN count (10+) - Detected 2+ times - No other traffic (no HTTP, no scans, nothing) - Likely IP spoofing attack - Tag: SPOOFED 5. SINGLE-TARGET PORT FOCUS (+5-10 points) - All SYN_RECV to same port (e.g., only :80) - Indicates targeted attack vs port scan - 1 port + 8+ conns: +10 points - 2 ports + 15+ conns: +5 points - Tag: TARGETED Log Format Enhancement: Old: Conns:14 | DDoS:T4 New: Conns:14 Est:0 | DDoS:T4 PURE-SYN SPOOFED TARGETED Example Attack Signatures: Pure Botnet: [20:45:12] 1.2.3.4 | Score:105 [CRITICAL] | 💥SYN_FLOOD | Conns:12 Est:0 | DDoS:T4 ACCEL BOTNET PURE-SYN SPOOFED TARGETED Sophisticated Multi-Vector: [20:45:13] 5.6.7.8 | Score:120 [CRITICAL] | 💥SYN_FLOOD | Conns:15 Est:2 | DDoS:T4 BOTNET MULTI-VECTOR HTTP-ATTACKER BAD-RATIO HOSTILE-ASN Scoring Impact (512 SYN Attack Example): Base: 15 Tier 4: +50 Momentum: +15 Pure SYN: +20 Spoofed: +20 Targeted: +10 ────────────── TOTAL: 130 points → Instant block + score 100 cap Benefits: - Distinguishes bots from legitimate users - Catches IP spoofing attacks - Detects repeat offenders faster - Provides clear attack attribution in logs --- modules/security/live-attack-monitor-v2.sh | 63 +++++++++++++++++++++- modules/security/live-attack-monitor.sh | 63 +++++++++++++++++++++- 2 files changed, 124 insertions(+), 2 deletions(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index d148a20..9a5b88d 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2478,6 +2478,61 @@ monitor_network_attacks() { conn_bonus=$((conn_bonus + 8)) # Accelerating fi + # SYN FLOOD SPECIFIC INTELLIGENCE METRICS + + # 1. Pure SYN attacker (no ESTABLISHED connections) + # Legitimate users always have some established connections + # Pure SYN = 100% attack traffic + if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then + conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic + fi + + # 2. SYN/ESTABLISHED ratio detection + # Normal: More ESTABLISHED than SYN_RECV + # Attacker: More SYN_RECV than ESTABLISHED (or 0 established) + if [ "$established_conns" -gt 0 ]; then + # Calculate ratio (multiply by 10 for integer math) + local ratio=$((count * 10 / established_conns)) + if [ "$ratio" -ge 30 ]; then + conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious + elif [ "$ratio" -ge 20 ]; then + conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable + fi + fi + + # 3. Connection persistence without completion + # Check if IP has been seen before with SYN but never completed + if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then + conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot + fi + + # 4. Spoofed source detection (high SYN, low other traffic) + # Check if IP has ANY other traffic (HTTP requests, DNS, etc) + local has_other_traffic=0 + if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then + local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "") + # If has HTTP attacks, not spoofed + if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then + has_other_traffic=1 + fi + fi + + # High SYN but no other traffic = likely spoofed source + if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then + conn_bonus=$((conn_bonus + 20)) # Spoofed source IP + fi + + # 5. Single-target focus detection + # Botnet usually targets one service/port + # Check if connections are all to same port (80/443) + local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l) + [ -z "$target_ports" ] && target_ports=0 + if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then + conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack + elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then + conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack + fi + # Multi-vector attack detection: Check if IP also has HTTP attacks # This indicates sophisticated attacker (SYN flood + application layer) local multi_vector=0 @@ -2601,7 +2656,13 @@ monitor_network_attacks() { [ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN " [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO " - echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" + # SYN-specific intelligence tags + [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN " + [ "${ratio:-0}" -ge 30 ] && intel_tags="${intel_tags}BAD-RATIO " + [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && intel_tags="${intel_tags}SPOOFED " + [ "${target_ports:-0}" -eq 1 ] && [ "$count" -ge 8 ] && intel_tags="${intel_tags}TARGETED " + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count Est:$established_conns | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" fi else # Reset alert if connections drop below threshold diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index d148a20..9a5b88d 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -2478,6 +2478,61 @@ monitor_network_attacks() { conn_bonus=$((conn_bonus + 8)) # Accelerating fi + # SYN FLOOD SPECIFIC INTELLIGENCE METRICS + + # 1. Pure SYN attacker (no ESTABLISHED connections) + # Legitimate users always have some established connections + # Pure SYN = 100% attack traffic + if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then + conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic + fi + + # 2. SYN/ESTABLISHED ratio detection + # Normal: More ESTABLISHED than SYN_RECV + # Attacker: More SYN_RECV than ESTABLISHED (or 0 established) + if [ "$established_conns" -gt 0 ]; then + # Calculate ratio (multiply by 10 for integer math) + local ratio=$((count * 10 / established_conns)) + if [ "$ratio" -ge 30 ]; then + conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious + elif [ "$ratio" -ge 20 ]; then + conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable + fi + fi + + # 3. Connection persistence without completion + # Check if IP has been seen before with SYN but never completed + if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then + conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot + fi + + # 4. Spoofed source detection (high SYN, low other traffic) + # Check if IP has ANY other traffic (HTTP requests, DNS, etc) + local has_other_traffic=0 + if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then + local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "") + # If has HTTP attacks, not spoofed + if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then + has_other_traffic=1 + fi + fi + + # High SYN but no other traffic = likely spoofed source + if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then + conn_bonus=$((conn_bonus + 20)) # Spoofed source IP + fi + + # 5. Single-target focus detection + # Botnet usually targets one service/port + # Check if connections are all to same port (80/443) + local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l) + [ -z "$target_ports" ] && target_ports=0 + if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then + conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack + elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then + conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack + fi + # Multi-vector attack detection: Check if IP also has HTTP attacks # This indicates sophisticated attacker (SYN flood + application layer) local multi_vector=0 @@ -2601,7 +2656,13 @@ monitor_network_attacks() { [ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN " [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO " - echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" + # SYN-specific intelligence tags + [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN " + [ "${ratio:-0}" -ge 30 ] && intel_tags="${intel_tags}BAD-RATIO " + [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && intel_tags="${intel_tags}SPOOFED " + [ "${target_ports:-0}" -eq 1 ] && [ "$count" -ge 8 ] && intel_tags="${intel_tags}TARGETED " + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count Est:$established_conns | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" fi else # Reset alert if connections drop below threshold