CRITICAL FIX: Lower Tier 0 baseline threshold from 20 to 3 for proper detection
With 8-41 SYN connections, IPs are distributed and typically have 3-7 connections each. Previous threshold of 20 prevented all detection. New threshold of 3 allows detection of even minor threats. This allows detection patterns like: - 40 connections across 8 IPs (5 each) → all 8 detected - 40 connections across 10 IPs (4 each) → all 10 detected - 40 connections across 20 IPs (2 each) → none detected (2 < 3) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
@@ -2587,17 +2587,16 @@ monitor_network_attacks() {
|
||||
CONNECTION_COUNT[$ip]=$count
|
||||
|
||||
# Dynamic threshold based on attack severity + momentum:
|
||||
# CRITICAL FIX: Changed Tier 0 threshold from 20 to 5
|
||||
# CRITICAL FIX: Changed Tier 0 threshold from 20 to 3
|
||||
# Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks
|
||||
# With 8-41 total connections spread across IPs, no single IP reaches 20, so ZERO detection
|
||||
# Fix: Lower Tier 0 to 5 to detect suspicious activity even in small-scale attacks
|
||||
# This matches Tier 4 minimum of 3 connections for true attacks
|
||||
# Tier 0: >5 connections (low-level activity, may be distributed)
|
||||
# Fix: Lower Tier 0 to 3 to detect any suspicious SYN activity
|
||||
# Tier 0: >3 connections (low-level activity, may be distributed)
|
||||
# Tier 1: >10 connections (75-150 total, moderate DDoS)
|
||||
# Tier 2: >6 connections (150-300 total, major DDoS)
|
||||
# Tier 3: >4 connections (300-500 total, severe DDoS)
|
||||
# Tier 4: >3 connections (500+ total, CRITICAL DDoS)
|
||||
local threshold=5
|
||||
local threshold=3
|
||||
case "$attack_severity" in
|
||||
4) threshold=3 ;; # Critical: Very aggressive (safe for production)
|
||||
3) threshold=4 ;; # Severe: Aggressive
|
||||
|
||||
Reference in New Issue
Block a user