From 72ad73819f5f47818812d2cabbca046fc10472a5 Mon Sep 17 00:00:00 2001 From: cschantz Date: Wed, 24 Dec 2025 19:26:22 -0500 Subject: [PATCH] Add intelligent threat scoring for SYN flood attacks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ENHANCEMENT: Multi-signal threat intelligence for SYN floods PROBLEM: SYN flood detection used only connection count for scoring. Missing contextual intelligence signals that identify real threats: - No AbuseIPDB reputation checking - No geographic risk assessment - No persistence tracking (sustained vs transient) - No escalation detection (increasing attack intensity) SOLUTION - 6 Intelligence Layers: 1. THREAT INTELLIGENCE LOOKUP (lines 2254-2295) On first detection: - AbuseIPDB confidence check (background, non-blocking) * High confidence (≥75%): +30 points * Medium confidence (≥50%): +15 points - Geographic risk assessment: +5 points for high-risk countries - Whitelisting check: Skip known-good services - Data cached for subsequent detections 2. BASE CONNECTION SCORING (lines 2307-2316) - 20-50 connections: +15 points (moderate threat) - 50-100 connections: +25 points (high threat) - 100+ connections: +40 points (critical threat) 3. PERSISTENCE DETECTION (lines 2318-2324) Repeated detections = sustained attack (not transient spike) - 5+ detections: +20 points (persistent attacker) - 3-4 detections: +10 points (repeated attack) Pattern: IP keeps appearing with high connection counts 4. ESCALATION DETECTION (lines 2326-2336) Rising connection count = intensifying attack - Increase ≥50 connections: +25 points (rapidly escalating) - Increase ≥20 connections: +15 points (escalating) Example: 30 conns → 80 conns → 150 conns = DANGER 5. ATTACK VELOCITY (existing, lines 2347-2349) - 20+ attacks/hour: +30 points (extreme velocity) - 10-19 attacks/hour: +20 points (high velocity) - 10+ in 5 minutes: +15 points (rapid fire) 6. COORDINATED ATTACK DETECTION (existing, lines 2351-2378) - Multiple attack vectors: +20 points (sophisticated) - Subnet-wide attacks: +15 points (botnet/DDoS) - Timing patterns: +10 points (automated) SCORING EXAMPLES: Example 1 - Transient False Positive: - 25 connections, first detection, clean AbuseIPDB - Score: 15 (base) = 15 total - Result: Monitored, not blocked Example 2 - Known Malicious Actor: - 45 connections, AbuseIPDB 80% confidence, China - Score: 15 (base) + 30 (AbuseIPDB) + 5 (geo) = 50 total - Result: High threat, blocked if persists Example 3 - Escalating Attack: - Hit 1: 30 conns = 15 points - Hit 2: 60 conns (+30 increase) = 25 + 15 (escalation) = 55 total - Hit 3: 120 conns (+60 increase) = 40 + 25 (rapid esc) + 10 (repeat) = 130 → 100 - Result: INSTANT_BLOCK on 3rd detection Example 4 - Persistent Botnet: - Hit 5: 40 conns, part of /24 subnet attack, high velocity - Score: 15 (base) + 20 (persistent) + 15 (subnet) + 20 (velocity) = 70 - Hit 6: Score 70 + 25 (base) = 95 → AUTO_BLOCK This creates intelligent, context-aware blocking that distinguishes real threats from noise. --- modules/security/live-attack-monitor.sh | 63 +++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 535492d..dbee0dc 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -2251,6 +2251,49 @@ monitor_network_attacks() { # Increment hits hits=$((hits + 1)) + # Enhanced threat intelligence on first detection + if [ "${hits:-0}" -eq 1 ]; then + # Check if whitelisted service first + if is_whitelisted_service "$ip" 2>/dev/null; then + continue # Skip whitelisted IPs + fi + + # Get threat intelligence in background to avoid slowdown + ( + local threat_intel=$(get_threat_intelligence "$ip" 2>/dev/null) + IFS='|' read -r abuse_conf abuse_rpts country isp geo timing whitelisted <<< "$threat_intel" + + # Store enrichment for later use + echo "$threat_intel" > "$TEMP_DIR/threat_enrich_${ip//\./_}" + + # Apply reputation boosts based on AbuseIPDB + if [ "${abuse_conf:-0}" -ge 75 ]; then + # High confidence malicious - add 30 points + local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0") + IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data" + local new_score=$((old_score + 30)) + [ "$new_score" -gt 100 ] && new_score=100 + echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file" + elif [ "${abuse_conf:-0}" -ge 50 ]; then + # Medium confidence - add 15 points + local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0") + IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data" + local new_score=$((old_score + 15)) + [ "$new_score" -gt 100 ] && new_score=100 + echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file" + fi + + # High-risk country adds 5 points + if is_high_risk_country "${geo:-XX}" 2>/dev/null; then + local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0") + IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data" + local new_score=$((old_score + 5)) + [ "$new_score" -gt 100 ] && new_score=100 + echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file" + fi + ) & + fi + # Record attack intelligence record_attack_timestamp "$ip" record_attack_vector "$ip" "NETWORK" @@ -2272,6 +2315,26 @@ monitor_network_attacks() { conn_bonus=15 fi + # Connection persistence bonus (repeated detections of same IP) + # This indicates sustained attack vs transient spike + if [ "${hits:-0}" -ge 5 ]; then + conn_bonus=$((conn_bonus + 20)) # Persistent attacker + elif [ "${hits:-0}" -ge 3 ]; then + conn_bonus=$((conn_bonus + 10)) # Repeated attack + fi + + # Connection escalation detection + # Check if connection count is increasing (more aggressive attack) + local prev_count="${CONNECTION_COUNT[$ip]:-0}" + if [ "$count" -gt "$prev_count" ] && [ "$prev_count" -gt 0 ]; then + local increase=$((count - prev_count)) + if [ "$increase" -ge 50 ]; then + conn_bonus=$((conn_bonus + 25)) # Rapidly escalating + elif [ "$increase" -ge 20 ]; then + conn_bonus=$((conn_bonus + 15)) # Escalating + fi + fi + # First hit or add to existing score if [ "${hits:-0}" -eq 1 ]; then score=$conn_bonus