From 5fbed6ae4c7f63b230b95d576f70630d5ab30785 Mon Sep 17 00:00:00 2001 From: cschantz Date: Wed, 24 Dec 2025 20:07:25 -0500 Subject: [PATCH] Adjust DDoS thresholds for production web servers Raised minimum thresholds to prevent false positives on busy websites: Previous (too aggressive for web servers): - Tier 4: >2 connections - Tier 3: >3 connections - Tier 2: >5 connections - Tier 1: >8 connections - Minimum: 2 New (production-safe): - Tier 4: >3 connections (500+ total SYN) - Tier 3: >4 connections (300-500 total) - Tier 2: >6 connections (150-300 total) - Tier 1: >10 connections (75-150 total) - Minimum: 3 Rationale: Web servers handle legitimate high traffic with brief SYN_RECV spikes. Corporate NAT, mobile users, and APIs can cause 2-3 SYN_RECV legitimately. Minimum of 3 prevents false positives while still catching distributed attacks. Your 512-connection attack still triggers Tier 4 with threshold 3, detecting 40+ attacking IPs while protecting legitimate traffic. --- modules/security/live-attack-monitor-v2.sh | 26 +++++++++++----------- modules/security/live-attack-monitor.sh | 26 +++++++++++----------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index d786a72..9cacb27 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2315,32 +2315,32 @@ monitor_network_attacks() { # Dynamic threshold based on attack severity + momentum: # Tier 0: >20 connections (normal, focused attack) - # Tier 1: >8 connections (75-150 total, moderate DDoS) - # Tier 2: >5 connections (150-300 total, major DDoS) - # Tier 3: >3 connections (300-500 total, severe DDoS) - # Tier 4: >2 connections (500+ total, CRITICAL DDoS) + # Tier 1: >10 connections (75-150 total, moderate DDoS) + # Tier 2: >6 connections (150-300 total, major DDoS) + # Tier 3: >4 connections (300-500 total, severe DDoS) + # Tier 4: >3 connections (500+ total, CRITICAL DDoS) local threshold=20 case "$attack_severity" in - 4) threshold=2 ;; # Critical: Hyper-aggressive - 3) threshold=3 ;; # Severe: Very aggressive - 2) threshold=5 ;; # Major: Aggressive - 1) threshold=8 ;; # Moderate: Balanced + 4) threshold=3 ;; # Critical: Very aggressive (safe for production) + 3) threshold=4 ;; # Severe: Aggressive + 2) threshold=6 ;; # Major: Balanced + 1) threshold=10 ;; # Moderate: Conservative esac # Attack momentum adaptation: Lower threshold if attack is growing - if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 2 ]; then + if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 3 ]; then threshold=$((threshold - 2)) # Rapidly accelerating attack - elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 2 ]; then + elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 3 ]; then threshold=$((threshold - 1)) # Accelerating attack fi # Coordinated attack bonus: Lower threshold by 1 (stacks with momentum) - if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 2 ]; then + if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then threshold=$((threshold - 1)) fi - # Minimum threshold of 2 to prevent false positives - [ "$threshold" -lt 2 ] && threshold=2 + # Minimum threshold of 3 to prevent false positives on busy web servers + [ "$threshold" -lt 3 ] && threshold=3 if [ "$count" -gt "$threshold" ]; then # Only process once per detection window diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index d786a72..9cacb27 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -2315,32 +2315,32 @@ monitor_network_attacks() { # Dynamic threshold based on attack severity + momentum: # Tier 0: >20 connections (normal, focused attack) - # Tier 1: >8 connections (75-150 total, moderate DDoS) - # Tier 2: >5 connections (150-300 total, major DDoS) - # Tier 3: >3 connections (300-500 total, severe DDoS) - # Tier 4: >2 connections (500+ total, CRITICAL DDoS) + # Tier 1: >10 connections (75-150 total, moderate DDoS) + # Tier 2: >6 connections (150-300 total, major DDoS) + # Tier 3: >4 connections (300-500 total, severe DDoS) + # Tier 4: >3 connections (500+ total, CRITICAL DDoS) local threshold=20 case "$attack_severity" in - 4) threshold=2 ;; # Critical: Hyper-aggressive - 3) threshold=3 ;; # Severe: Very aggressive - 2) threshold=5 ;; # Major: Aggressive - 1) threshold=8 ;; # Moderate: Balanced + 4) threshold=3 ;; # Critical: Very aggressive (safe for production) + 3) threshold=4 ;; # Severe: Aggressive + 2) threshold=6 ;; # Major: Balanced + 1) threshold=10 ;; # Moderate: Conservative esac # Attack momentum adaptation: Lower threshold if attack is growing - if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 2 ]; then + if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 3 ]; then threshold=$((threshold - 2)) # Rapidly accelerating attack - elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 2 ]; then + elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 3 ]; then threshold=$((threshold - 1)) # Accelerating attack fi # Coordinated attack bonus: Lower threshold by 1 (stacks with momentum) - if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 2 ]; then + if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then threshold=$((threshold - 1)) fi - # Minimum threshold of 2 to prevent false positives - [ "$threshold" -lt 2 ] && threshold=2 + # Minimum threshold of 3 to prevent false positives on busy web servers + [ "$threshold" -lt 3 ] && threshold=3 if [ "$count" -gt "$threshold" ]; then # Only process once per detection window