Adjust DDoS thresholds for production web servers
Raised minimum thresholds to prevent false positives on busy websites: Previous (too aggressive for web servers): - Tier 4: >2 connections - Tier 3: >3 connections - Tier 2: >5 connections - Tier 1: >8 connections - Minimum: 2 New (production-safe): - Tier 4: >3 connections (500+ total SYN) - Tier 3: >4 connections (300-500 total) - Tier 2: >6 connections (150-300 total) - Tier 1: >10 connections (75-150 total) - Minimum: 3 Rationale: Web servers handle legitimate high traffic with brief SYN_RECV spikes. Corporate NAT, mobile users, and APIs can cause 2-3 SYN_RECV legitimately. Minimum of 3 prevents false positives while still catching distributed attacks. Your 512-connection attack still triggers Tier 4 with threshold 3, detecting 40+ attacking IPs while protecting legitimate traffic.
This commit is contained in:
cschantz
@@ -2315,32 +2315,32 @@ monitor_network_attacks() {
|
||||
|
||||
# Dynamic threshold based on attack severity + momentum:
|
||||
# Tier 0: >20 connections (normal, focused attack)
|
||||
# Tier 1: >8 connections (75-150 total, moderate DDoS)
|
||||
# Tier 2: >5 connections (150-300 total, major DDoS)
|
||||
# Tier 3: >3 connections (300-500 total, severe DDoS)
|
||||
# Tier 4: >2 connections (500+ total, CRITICAL DDoS)
|
||||
# Tier 1: >10 connections (75-150 total, moderate DDoS)
|
||||
# Tier 2: >6 connections (150-300 total, major DDoS)
|
||||
# Tier 3: >4 connections (300-500 total, severe DDoS)
|
||||
# Tier 4: >3 connections (500+ total, CRITICAL DDoS)
|
||||
local threshold=20
|
||||
case "$attack_severity" in
|
||||
4) threshold=2 ;; # Critical: Hyper-aggressive
|
||||
3) threshold=3 ;; # Severe: Very aggressive
|
||||
2) threshold=5 ;; # Major: Aggressive
|
||||
1) threshold=8 ;; # Moderate: Balanced
|
||||
4) threshold=3 ;; # Critical: Very aggressive (safe for production)
|
||||
3) threshold=4 ;; # Severe: Aggressive
|
||||
2) threshold=6 ;; # Major: Balanced
|
||||
1) threshold=10 ;; # Moderate: Conservative
|
||||
esac
|
||||
|
||||
# Attack momentum adaptation: Lower threshold if attack is growing
|
||||
if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 2 ]; then
|
||||
if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 3 ]; then
|
||||
threshold=$((threshold - 2)) # Rapidly accelerating attack
|
||||
elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 2 ]; then
|
||||
elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 3 ]; then
|
||||
threshold=$((threshold - 1)) # Accelerating attack
|
||||
fi
|
||||
|
||||
# Coordinated attack bonus: Lower threshold by 1 (stacks with momentum)
|
||||
if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 2 ]; then
|
||||
if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then
|
||||
threshold=$((threshold - 1))
|
||||
fi
|
||||
|
||||
# Minimum threshold of 2 to prevent false positives
|
||||
[ "$threshold" -lt 2 ] && threshold=2
|
||||
# Minimum threshold of 3 to prevent false positives on busy web servers
|
||||
[ "$threshold" -lt 3 ] && threshold=3
|
||||
|
||||
if [ "$count" -gt "$threshold" ]; then
|
||||
# Only process once per detection window
|
||||
|
||||
@@ -2315,32 +2315,32 @@ monitor_network_attacks() {
|
||||
|
||||
# Dynamic threshold based on attack severity + momentum:
|
||||
# Tier 0: >20 connections (normal, focused attack)
|
||||
# Tier 1: >8 connections (75-150 total, moderate DDoS)
|
||||
# Tier 2: >5 connections (150-300 total, major DDoS)
|
||||
# Tier 3: >3 connections (300-500 total, severe DDoS)
|
||||
# Tier 4: >2 connections (500+ total, CRITICAL DDoS)
|
||||
# Tier 1: >10 connections (75-150 total, moderate DDoS)
|
||||
# Tier 2: >6 connections (150-300 total, major DDoS)
|
||||
# Tier 3: >4 connections (300-500 total, severe DDoS)
|
||||
# Tier 4: >3 connections (500+ total, CRITICAL DDoS)
|
||||
local threshold=20
|
||||
case "$attack_severity" in
|
||||
4) threshold=2 ;; # Critical: Hyper-aggressive
|
||||
3) threshold=3 ;; # Severe: Very aggressive
|
||||
2) threshold=5 ;; # Major: Aggressive
|
||||
1) threshold=8 ;; # Moderate: Balanced
|
||||
4) threshold=3 ;; # Critical: Very aggressive (safe for production)
|
||||
3) threshold=4 ;; # Severe: Aggressive
|
||||
2) threshold=6 ;; # Major: Balanced
|
||||
1) threshold=10 ;; # Moderate: Conservative
|
||||
esac
|
||||
|
||||
# Attack momentum adaptation: Lower threshold if attack is growing
|
||||
if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 2 ]; then
|
||||
if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 3 ]; then
|
||||
threshold=$((threshold - 2)) # Rapidly accelerating attack
|
||||
elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 2 ]; then
|
||||
elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 3 ]; then
|
||||
threshold=$((threshold - 1)) # Accelerating attack
|
||||
fi
|
||||
|
||||
# Coordinated attack bonus: Lower threshold by 1 (stacks with momentum)
|
||||
if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 2 ]; then
|
||||
if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then
|
||||
threshold=$((threshold - 1))
|
||||
fi
|
||||
|
||||
# Minimum threshold of 2 to prevent false positives
|
||||
[ "$threshold" -lt 2 ] && threshold=2
|
||||
# Minimum threshold of 3 to prevent false positives on busy web servers
|
||||
[ "$threshold" -lt 3 ] && threshold=3
|
||||
|
||||
if [ "$count" -gt "$threshold" ]; then
|
||||
# Only process once per detection window
|
||||
|
||||
Reference in New Issue
Block a user