Add intelligent threat scoring for SYN flood attacks
ENHANCEMENT: Multi-signal threat intelligence for SYN floods
PROBLEM:
SYN flood detection used only connection count for scoring.
Missing contextual intelligence signals that identify real threats:
- No AbuseIPDB reputation checking
- No geographic risk assessment
- No persistence tracking (sustained vs transient)
- No escalation detection (increasing attack intensity)
SOLUTION - 6 Intelligence Layers:
1. THREAT INTELLIGENCE LOOKUP (lines 2254-2295)
On first detection:
- AbuseIPDB confidence check (background, non-blocking)
* High confidence (≥75%): +30 points
* Medium confidence (≥50%): +15 points
- Geographic risk assessment: +5 points for high-risk countries
- Whitelisting check: Skip known-good services
- Data cached for subsequent detections
2. BASE CONNECTION SCORING (lines 2307-2316)
- 20-50 connections: +15 points (moderate threat)
- 50-100 connections: +25 points (high threat)
- 100+ connections: +40 points (critical threat)
3. PERSISTENCE DETECTION (lines 2318-2324)
Repeated detections = sustained attack (not transient spike)
- 5+ detections: +20 points (persistent attacker)
- 3-4 detections: +10 points (repeated attack)
Pattern: IP keeps appearing with high connection counts
4. ESCALATION DETECTION (lines 2326-2336)
Rising connection count = intensifying attack
- Increase ≥50 connections: +25 points (rapidly escalating)
- Increase ≥20 connections: +15 points (escalating)
Example: 30 conns → 80 conns → 150 conns = DANGER
5. ATTACK VELOCITY (existing, lines 2347-2349)
- 20+ attacks/hour: +30 points (extreme velocity)
- 10-19 attacks/hour: +20 points (high velocity)
- 10+ in 5 minutes: +15 points (rapid fire)
6. COORDINATED ATTACK DETECTION (existing, lines 2351-2378)
- Multiple attack vectors: +20 points (sophisticated)
- Subnet-wide attacks: +15 points (botnet/DDoS)
- Timing patterns: +10 points (automated)
SCORING EXAMPLES:
Example 1 - Transient False Positive:
- 25 connections, first detection, clean AbuseIPDB
- Score: 15 (base) = 15 total
- Result: Monitored, not blocked
Example 2 - Known Malicious Actor:
- 45 connections, AbuseIPDB 80% confidence, China
- Score: 15 (base) + 30 (AbuseIPDB) + 5 (geo) = 50 total
- Result: High threat, blocked if persists
Example 3 - Escalating Attack:
- Hit 1: 30 conns = 15 points
- Hit 2: 60 conns (+30 increase) = 25 + 15 (escalation) = 55 total
- Hit 3: 120 conns (+60 increase) = 40 + 25 (rapid esc) + 10 (repeat) = 130 → 100
- Result: INSTANT_BLOCK on 3rd detection
Example 4 - Persistent Botnet:
- Hit 5: 40 conns, part of /24 subnet attack, high velocity
- Score: 15 (base) + 20 (persistent) + 15 (subnet) + 20 (velocity) = 70
- Hit 6: Score 70 + 25 (base) = 95 → AUTO_BLOCK
This creates intelligent, context-aware blocking that distinguishes
real threats from noise.
This commit is contained in:
cschantz
@@ -2251,6 +2251,49 @@ monitor_network_attacks() {
|
|||||||
# Increment hits
|
# Increment hits
|
||||||
hits=$((hits + 1))
|
hits=$((hits + 1))
|
||||||
|
|
||||||
|
# Enhanced threat intelligence on first detection
|
||||||
|
if [ "${hits:-0}" -eq 1 ]; then
|
||||||
|
# Check if whitelisted service first
|
||||||
|
if is_whitelisted_service "$ip" 2>/dev/null; then
|
||||||
|
continue # Skip whitelisted IPs
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Get threat intelligence in background to avoid slowdown
|
||||||
|
(
|
||||||
|
local threat_intel=$(get_threat_intelligence "$ip" 2>/dev/null)
|
||||||
|
IFS='|' read -r abuse_conf abuse_rpts country isp geo timing whitelisted <<< "$threat_intel"
|
||||||
|
|
||||||
|
# Store enrichment for later use
|
||||||
|
echo "$threat_intel" > "$TEMP_DIR/threat_enrich_${ip//\./_}"
|
||||||
|
|
||||||
|
# Apply reputation boosts based on AbuseIPDB
|
||||||
|
if [ "${abuse_conf:-0}" -ge 75 ]; then
|
||||||
|
# High confidence malicious - add 30 points
|
||||||
|
local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0")
|
||||||
|
IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data"
|
||||||
|
local new_score=$((old_score + 30))
|
||||||
|
[ "$new_score" -gt 100 ] && new_score=100
|
||||||
|
echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file"
|
||||||
|
elif [ "${abuse_conf:-0}" -ge 50 ]; then
|
||||||
|
# Medium confidence - add 15 points
|
||||||
|
local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0")
|
||||||
|
IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data"
|
||||||
|
local new_score=$((old_score + 15))
|
||||||
|
[ "$new_score" -gt 100 ] && new_score=100
|
||||||
|
echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# High-risk country adds 5 points
|
||||||
|
if is_high_risk_country "${geo:-XX}" 2>/dev/null; then
|
||||||
|
local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0")
|
||||||
|
IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data"
|
||||||
|
local new_score=$((old_score + 5))
|
||||||
|
[ "$new_score" -gt 100 ] && new_score=100
|
||||||
|
echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file"
|
||||||
|
fi
|
||||||
|
) &
|
||||||
|
fi
|
||||||
|
|
||||||
# Record attack intelligence
|
# Record attack intelligence
|
||||||
record_attack_timestamp "$ip"
|
record_attack_timestamp "$ip"
|
||||||
record_attack_vector "$ip" "NETWORK"
|
record_attack_vector "$ip" "NETWORK"
|
||||||
@@ -2272,6 +2315,26 @@ monitor_network_attacks() {
|
|||||||
conn_bonus=15
|
conn_bonus=15
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Connection persistence bonus (repeated detections of same IP)
|
||||||
|
# This indicates sustained attack vs transient spike
|
||||||
|
if [ "${hits:-0}" -ge 5 ]; then
|
||||||
|
conn_bonus=$((conn_bonus + 20)) # Persistent attacker
|
||||||
|
elif [ "${hits:-0}" -ge 3 ]; then
|
||||||
|
conn_bonus=$((conn_bonus + 10)) # Repeated attack
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Connection escalation detection
|
||||||
|
# Check if connection count is increasing (more aggressive attack)
|
||||||
|
local prev_count="${CONNECTION_COUNT[$ip]:-0}"
|
||||||
|
if [ "$count" -gt "$prev_count" ] && [ "$prev_count" -gt 0 ]; then
|
||||||
|
local increase=$((count - prev_count))
|
||||||
|
if [ "$increase" -ge 50 ]; then
|
||||||
|
conn_bonus=$((conn_bonus + 25)) # Rapidly escalating
|
||||||
|
elif [ "$increase" -ge 20 ]; then
|
||||||
|
conn_bonus=$((conn_bonus + 15)) # Escalating
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# First hit or add to existing score
|
# First hit or add to existing score
|
||||||
if [ "${hits:-0}" -eq 1 ]; then
|
if [ "${hits:-0}" -eq 1 ]; then
|
||||||
score=$conn_bonus
|
score=$conn_bonus
|
||||||
|
|||||||
Reference in New Issue
Block a user