Add 5 advanced SYN flood intelligence metrics for better attacker detection
New SYN-Specific Intelligence Metrics: 1. PURE-SYN DETECTION (+20 points) - IP has 5+ SYN_RECV but 0 ESTABLISHED connections - Legitimate users always complete some handshakes - Pure SYN = 100% attack traffic, no legitimate use - Tag: PURE-SYN 2. SYN/ESTABLISHED RATIO ANALYSIS (+10-15 points) - Normal: More ESTABLISHED than SYN_RECV - Suspicious: 2:1 or 3:1 SYN_RECV:ESTABLISHED ratio - 3:1 ratio: +15 points - 2:1 ratio: +10 points - Tag: BAD-RATIO 3. REPEATED SYN WITHOUT COMPLETION (+15 points) - IP detected 2+ times with SYN floods - BUT never has any ESTABLISHED connections - Indicates bot that never completes handshakes - Filters out transient network issues 4. SPOOFED SOURCE IP DETECTION (+20 points) - High SYN count (10+) - Detected 2+ times - No other traffic (no HTTP, no scans, nothing) - Likely IP spoofing attack - Tag: SPOOFED 5. SINGLE-TARGET PORT FOCUS (+5-10 points) - All SYN_RECV to same port (e.g., only :80) - Indicates targeted attack vs port scan - 1 port + 8+ conns: +10 points - 2 ports + 15+ conns: +5 points - Tag: TARGETED Log Format Enhancement: Old: Conns:14 | DDoS:T4 New: Conns:14 Est:0 | DDoS:T4 PURE-SYN SPOOFED TARGETED Example Attack Signatures: Pure Botnet: [20:45:12] 1.2.3.4 | Score:105 [CRITICAL] | 💥SYN_FLOOD | Conns:12 Est:0 | DDoS:T4 ACCEL BOTNET PURE-SYN SPOOFED TARGETED Sophisticated Multi-Vector: [20:45:13] 5.6.7.8 | Score:120 [CRITICAL] | 💥SYN_FLOOD | Conns:15 Est:2 | DDoS:T4 BOTNET MULTI-VECTOR HTTP-ATTACKER BAD-RATIO HOSTILE-ASN Scoring Impact (512 SYN Attack Example): Base: 15 Tier 4: +50 Momentum: +15 Pure SYN: +20 Spoofed: +20 Targeted: +10 ────────────── TOTAL: 130 points → Instant block + score 100 cap Benefits: - Distinguishes bots from legitimate users - Catches IP spoofing attacks - Detects repeat offenders faster - Provides clear attack attribution in logs
This commit is contained in:
cschantz
@@ -2478,6 +2478,61 @@ monitor_network_attacks() {
|
||||
conn_bonus=$((conn_bonus + 8)) # Accelerating
|
||||
fi
|
||||
|
||||
# SYN FLOOD SPECIFIC INTELLIGENCE METRICS
|
||||
|
||||
# 1. Pure SYN attacker (no ESTABLISHED connections)
|
||||
# Legitimate users always have some established connections
|
||||
# Pure SYN = 100% attack traffic
|
||||
if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then
|
||||
conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic
|
||||
fi
|
||||
|
||||
# 2. SYN/ESTABLISHED ratio detection
|
||||
# Normal: More ESTABLISHED than SYN_RECV
|
||||
# Attacker: More SYN_RECV than ESTABLISHED (or 0 established)
|
||||
if [ "$established_conns" -gt 0 ]; then
|
||||
# Calculate ratio (multiply by 10 for integer math)
|
||||
local ratio=$((count * 10 / established_conns))
|
||||
if [ "$ratio" -ge 30 ]; then
|
||||
conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious
|
||||
elif [ "$ratio" -ge 20 ]; then
|
||||
conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable
|
||||
fi
|
||||
fi
|
||||
|
||||
# 3. Connection persistence without completion
|
||||
# Check if IP has been seen before with SYN but never completed
|
||||
if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then
|
||||
conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot
|
||||
fi
|
||||
|
||||
# 4. Spoofed source detection (high SYN, low other traffic)
|
||||
# Check if IP has ANY other traffic (HTTP requests, DNS, etc)
|
||||
local has_other_traffic=0
|
||||
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
|
||||
local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
|
||||
# If has HTTP attacks, not spoofed
|
||||
if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
|
||||
has_other_traffic=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# High SYN but no other traffic = likely spoofed source
|
||||
if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then
|
||||
conn_bonus=$((conn_bonus + 20)) # Spoofed source IP
|
||||
fi
|
||||
|
||||
# 5. Single-target focus detection
|
||||
# Botnet usually targets one service/port
|
||||
# Check if connections are all to same port (80/443)
|
||||
local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
|
||||
[ -z "$target_ports" ] && target_ports=0
|
||||
if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then
|
||||
conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack
|
||||
elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then
|
||||
conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack
|
||||
fi
|
||||
|
||||
# Multi-vector attack detection: Check if IP also has HTTP attacks
|
||||
# This indicates sophisticated attacker (SYN flood + application layer)
|
||||
local multi_vector=0
|
||||
@@ -2601,7 +2656,13 @@ monitor_network_attacks() {
|
||||
[ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN "
|
||||
[ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO "
|
||||
|
||||
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events"
|
||||
# SYN-specific intelligence tags
|
||||
[ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN "
|
||||
[ "${ratio:-0}" -ge 30 ] && intel_tags="${intel_tags}BAD-RATIO "
|
||||
[ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && intel_tags="${intel_tags}SPOOFED "
|
||||
[ "${target_ports:-0}" -eq 1 ] && [ "$count" -ge 8 ] && intel_tags="${intel_tags}TARGETED "
|
||||
|
||||
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count Est:$established_conns | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events"
|
||||
fi
|
||||
else
|
||||
# Reset alert if connections drop below threshold
|
||||
|
||||
@@ -2478,6 +2478,61 @@ monitor_network_attacks() {
|
||||
conn_bonus=$((conn_bonus + 8)) # Accelerating
|
||||
fi
|
||||
|
||||
# SYN FLOOD SPECIFIC INTELLIGENCE METRICS
|
||||
|
||||
# 1. Pure SYN attacker (no ESTABLISHED connections)
|
||||
# Legitimate users always have some established connections
|
||||
# Pure SYN = 100% attack traffic
|
||||
if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then
|
||||
conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic
|
||||
fi
|
||||
|
||||
# 2. SYN/ESTABLISHED ratio detection
|
||||
# Normal: More ESTABLISHED than SYN_RECV
|
||||
# Attacker: More SYN_RECV than ESTABLISHED (or 0 established)
|
||||
if [ "$established_conns" -gt 0 ]; then
|
||||
# Calculate ratio (multiply by 10 for integer math)
|
||||
local ratio=$((count * 10 / established_conns))
|
||||
if [ "$ratio" -ge 30 ]; then
|
||||
conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious
|
||||
elif [ "$ratio" -ge 20 ]; then
|
||||
conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable
|
||||
fi
|
||||
fi
|
||||
|
||||
# 3. Connection persistence without completion
|
||||
# Check if IP has been seen before with SYN but never completed
|
||||
if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then
|
||||
conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot
|
||||
fi
|
||||
|
||||
# 4. Spoofed source detection (high SYN, low other traffic)
|
||||
# Check if IP has ANY other traffic (HTTP requests, DNS, etc)
|
||||
local has_other_traffic=0
|
||||
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
|
||||
local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
|
||||
# If has HTTP attacks, not spoofed
|
||||
if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
|
||||
has_other_traffic=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# High SYN but no other traffic = likely spoofed source
|
||||
if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then
|
||||
conn_bonus=$((conn_bonus + 20)) # Spoofed source IP
|
||||
fi
|
||||
|
||||
# 5. Single-target focus detection
|
||||
# Botnet usually targets one service/port
|
||||
# Check if connections are all to same port (80/443)
|
||||
local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
|
||||
[ -z "$target_ports" ] && target_ports=0
|
||||
if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then
|
||||
conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack
|
||||
elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then
|
||||
conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack
|
||||
fi
|
||||
|
||||
# Multi-vector attack detection: Check if IP also has HTTP attacks
|
||||
# This indicates sophisticated attacker (SYN flood + application layer)
|
||||
local multi_vector=0
|
||||
@@ -2601,7 +2656,13 @@ monitor_network_attacks() {
|
||||
[ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN "
|
||||
[ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO "
|
||||
|
||||
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events"
|
||||
# SYN-specific intelligence tags
|
||||
[ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN "
|
||||
[ "${ratio:-0}" -ge 30 ] && intel_tags="${intel_tags}BAD-RATIO "
|
||||
[ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && intel_tags="${intel_tags}SPOOFED "
|
||||
[ "${target_ports:-0}" -eq 1 ] && [ "$count" -ge 8 ] && intel_tags="${intel_tags}TARGETED "
|
||||
|
||||
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count Est:$established_conns | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events"
|
||||
fi
|
||||
else
|
||||
# Reset alert if connections drop below threshold
|
||||
|
||||
Reference in New Issue
Block a user