cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add 5 advanced SYN flood intelligence metrics for better attacker detection

Browse Source 
New SYN-Specific Intelligence Metrics:

1. PURE-SYN DETECTION (+20 points)
   - IP has 5+ SYN_RECV but 0 ESTABLISHED connections
   - Legitimate users always complete some handshakes
   - Pure SYN = 100% attack traffic, no legitimate use
   - Tag: PURE-SYN

2. SYN/ESTABLISHED RATIO ANALYSIS (+10-15 points)
   - Normal: More ESTABLISHED than SYN_RECV
   - Suspicious: 2:1 or 3:1 SYN_RECV:ESTABLISHED ratio
   - 3:1 ratio: +15 points
   - 2:1 ratio: +10 points
   - Tag: BAD-RATIO

3. REPEATED SYN WITHOUT COMPLETION (+15 points)
   - IP detected 2+ times with SYN floods
   - BUT never has any ESTABLISHED connections
   - Indicates bot that never completes handshakes
   - Filters out transient network issues

4. SPOOFED SOURCE IP DETECTION (+20 points)
   - High SYN count (10+)
   - Detected 2+ times
   - No other traffic (no HTTP, no scans, nothing)
   - Likely IP spoofing attack
   - Tag: SPOOFED

5. SINGLE-TARGET PORT FOCUS (+5-10 points)
   - All SYN_RECV to same port (e.g., only :80)
   - Indicates targeted attack vs port scan
   - 1 port + 8+ conns: +10 points
   - 2 ports + 15+ conns: +5 points
   - Tag: TARGETED

Log Format Enhancement:
  Old: Conns:14 | DDoS:T4
  New: Conns:14 Est:0 | DDoS:T4 PURE-SYN SPOOFED TARGETED

Example Attack Signatures:

Pure Botnet:
  [20:45:12] 1.2.3.4 | Score:105 [CRITICAL] | 💥SYN_FLOOD | Conns:12 Est:0 | DDoS:T4 ACCEL BOTNET PURE-SYN SPOOFED TARGETED

Sophisticated Multi-Vector:
  [20:45:13] 5.6.7.8 | Score:120 [CRITICAL] | 💥SYN_FLOOD | Conns:15 Est:2 | DDoS:T4 BOTNET MULTI-VECTOR HTTP-ATTACKER BAD-RATIO HOSTILE-ASN

Scoring Impact (512 SYN Attack Example):
  Base: 15
  Tier 4: +50
  Momentum: +15
  Pure SYN: +20
  Spoofed: +20
  Targeted: +10
  ──────────────
  TOTAL: 130 points → Instant block + score 100 cap

Benefits:
- Distinguishes bots from legitimate users
- Catches IP spoofing attacks
- Detects repeat offenders faster
- Provides clear attack attribution in logs
This commit is contained in:
cschantz
2025-12-24 20:44:48 -05:00
parent cae9db2d53
commit 2e176aa310
2 changed files with 124 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+62 -1
View File
@@ -2478,6 +2478,61 @@ monitor_network_attacks() {
conn_bonus=$((conn_bonus + 8)) # Accelerating
fi
# SYN FLOOD SPECIFIC INTELLIGENCE METRICS
# 1. Pure SYN attacker (no ESTABLISHED connections)
# Legitimate users always have some established connections
# Pure SYN = 100% attack traffic
if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then
conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic
fi
# 2. SYN/ESTABLISHED ratio detection
# Normal: More ESTABLISHED than SYN_RECV
# Attacker: More SYN_RECV than ESTABLISHED (or 0 established)
if [ "$established_conns" -gt 0 ]; then
# Calculate ratio (multiply by 10 for integer math)
local ratio=$((count * 10 / established_conns))
if [ "$ratio" -ge 30 ]; then
conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious
elif [ "$ratio" -ge 20 ]; then
conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable
fi
fi
# 3. Connection persistence without completion
# Check if IP has been seen before with SYN but never completed
if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then
conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot
fi
# 4. Spoofed source detection (high SYN, low other traffic)
# Check if IP has ANY other traffic (HTTP requests, DNS, etc)
local has_other_traffic=0
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
# If has HTTP attacks, not spoofed
if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
has_other_traffic=1
fi
fi
# High SYN but no other traffic = likely spoofed source
if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then
conn_bonus=$((conn_bonus + 20)) # Spoofed source IP
fi
# 5. Single-target focus detection
# Botnet usually targets one service/port
# Check if connections are all to same port (80/443)
local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
[ -z "$target_ports" ] && target_ports=0
if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then
conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack
elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then
conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack
fi
# Multi-vector attack detection: Check if IP also has HTTP attacks
# This indicates sophisticated attacker (SYN flood + application layer)
local multi_vector=0
@@ -2601,7 +2656,13 @@ monitor_network_attacks() {
[ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN "
[ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO "
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events"
# SYN-specific intelligence tags
[ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN "
[ "${ratio:-0}" -ge 30 ] && intel_tags="${intel_tags}BAD-RATIO "
[ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && intel_tags="${intel_tags}SPOOFED "
[ "${target_ports:-0}" -eq 1 ] && [ "$count" -ge 8 ] && intel_tags="${intel_tags}TARGETED "
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count Est:$established_conns | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events"
fi
else
# Reset alert if connections drop below threshold