cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add intelligent threat scoring for SYN flood attacks

Browse Source 
ENHANCEMENT: Multi-signal threat intelligence for SYN floods

PROBLEM:
SYN flood detection used only connection count for scoring.
Missing contextual intelligence signals that identify real threats:
- No AbuseIPDB reputation checking
- No geographic risk assessment
- No persistence tracking (sustained vs transient)
- No escalation detection (increasing attack intensity)

SOLUTION - 6 Intelligence Layers:

1. THREAT INTELLIGENCE LOOKUP (lines 2254-2295)
   On first detection:
   - AbuseIPDB confidence check (background, non-blocking)
     * High confidence (≥75%): +30 points
     * Medium confidence (≥50%): +15 points
   - Geographic risk assessment: +5 points for high-risk countries
   - Whitelisting check: Skip known-good services
   - Data cached for subsequent detections

2. BASE CONNECTION SCORING (lines 2307-2316)
   - 20-50 connections: +15 points (moderate threat)
   - 50-100 connections: +25 points (high threat)
   - 100+ connections: +40 points (critical threat)

3. PERSISTENCE DETECTION (lines 2318-2324)
   Repeated detections = sustained attack (not transient spike)
   - 5+ detections: +20 points (persistent attacker)
   - 3-4 detections: +10 points (repeated attack)
   Pattern: IP keeps appearing with high connection counts

4. ESCALATION DETECTION (lines 2326-2336)
   Rising connection count = intensifying attack
   - Increase ≥50 connections: +25 points (rapidly escalating)
   - Increase ≥20 connections: +15 points (escalating)
   Example: 30 conns → 80 conns → 150 conns = DANGER

5. ATTACK VELOCITY (existing, lines 2347-2349)
   - 20+ attacks/hour: +30 points (extreme velocity)
   - 10-19 attacks/hour: +20 points (high velocity)
   - 10+ in 5 minutes: +15 points (rapid fire)

6. COORDINATED ATTACK DETECTION (existing, lines 2351-2378)
   - Multiple attack vectors: +20 points (sophisticated)
   - Subnet-wide attacks: +15 points (botnet/DDoS)
   - Timing patterns: +10 points (automated)

SCORING EXAMPLES:

Example 1 - Transient False Positive:
- 25 connections, first detection, clean AbuseIPDB
- Score: 15 (base) = 15 total
- Result: Monitored, not blocked

Example 2 - Known Malicious Actor:
- 45 connections, AbuseIPDB 80% confidence, China
- Score: 15 (base) + 30 (AbuseIPDB) + 5 (geo) = 50 total
- Result: High threat, blocked if persists

Example 3 - Escalating Attack:
- Hit 1: 30 conns = 15 points
- Hit 2: 60 conns (+30 increase) = 25 + 15 (escalation) = 55 total
- Hit 3: 120 conns (+60 increase) = 40 + 25 (rapid esc) + 10 (repeat) = 130 → 100
- Result: INSTANT_BLOCK on 3rd detection

Example 4 - Persistent Botnet:
- Hit 5: 40 conns, part of /24 subnet attack, high velocity
- Score: 15 (base) + 20 (persistent) + 15 (subnet) + 20 (velocity) = 70
- Hit 6: Score 70 + 25 (base) = 95 → AUTO_BLOCK

This creates intelligent, context-aware blocking that distinguishes
real threats from noise.
This commit is contained in:
cschantz
2025-12-24 19:26:22 -05:00
parent 26c69175cd
commit 72ad73819f
1 changed files with 63 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+63
View File
@@ -2251,6 +2251,49 @@ monitor_network_attacks() {
# Increment hits
hits=$((hits + 1))
# Enhanced threat intelligence on first detection
if [ "${hits:-0}" -eq 1 ]; then
# Check if whitelisted service first
if is_whitelisted_service "$ip" 2>/dev/null; then
continue # Skip whitelisted IPs
fi
# Get threat intelligence in background to avoid slowdown
(
local threat_intel=$(get_threat_intelligence "$ip" 2>/dev/null)
IFS='|' read -r abuse_conf abuse_rpts country isp geo timing whitelisted <<< "$threat_intel"
# Store enrichment for later use
echo "$threat_intel" > "$TEMP_DIR/threat_enrich_${ip//\./_}"
# Apply reputation boosts based on AbuseIPDB
if [ "${abuse_conf:-0}" -ge 75 ]; then
# High confidence malicious - add 30 points
local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0")
IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data"
local new_score=$((old_score + 30))
[ "$new_score" -gt 100 ] && new_score=100
echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file"
elif [ "${abuse_conf:-0}" -ge 50 ]; then
# Medium confidence - add 15 points
local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0")
IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data"
local new_score=$((old_score + 15))
[ "$new_score" -gt 100 ] && new_score=100
echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file"
fi
# High-risk country adds 5 points
if is_high_risk_country "${geo:-XX}" 2>/dev/null; then
local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0")
IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data"
local new_score=$((old_score + 5))
[ "$new_score" -gt 100 ] && new_score=100
echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file"
fi
) &
fi
# Record attack intelligence
record_attack_timestamp "$ip"
record_attack_vector "$ip" "NETWORK"
@@ -2272,6 +2315,26 @@ monitor_network_attacks() {
conn_bonus=15
fi
# Connection persistence bonus (repeated detections of same IP)
# This indicates sustained attack vs transient spike
if [ "${hits:-0}" -ge 5 ]; then
conn_bonus=$((conn_bonus + 20)) # Persistent attacker
elif [ "${hits:-0}" -ge 3 ]; then
conn_bonus=$((conn_bonus + 10)) # Repeated attack
fi
# Connection escalation detection
# Check if connection count is increasing (more aggressive attack)
local prev_count="${CONNECTION_COUNT[$ip]:-0}"
if [ "$count" -gt "$prev_count" ] && [ "$prev_count" -gt 0 ]; then
local increase=$((count - prev_count))
if [ "$increase" -ge 50 ]; then
conn_bonus=$((conn_bonus + 25)) # Rapidly escalating
elif [ "$increase" -ge 20 ]; then
conn_bonus=$((conn_bonus + 15)) # Escalating
fi
fi
# First hit or add to existing score
if [ "${hits:-0}" -eq 1 ]; then
score=$conn_bonus