From 7e5a09bf6b6ff01db9c9dfecb1c7278c6bf5894e Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Mar 2026 23:00:56 -0500
Subject: [PATCH] CRITICAL FIX: Lower Tier 0 baseline threshold from 20 to 3
 for proper detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With 8-41 SYN connections, IPs are distributed and typically have 3-7 connections each.
Previous threshold of 20 prevented all detection.
New threshold of 3 allows detection of even minor threats.

This allows detection patterns like:
- 40 connections across 8 IPs (5 each) → all 8 detected
- 40 connections across 10 IPs (4 each) → all 10 detected
- 40 connections across 20 IPs (2 each) → none detected (2 < 3)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/security/live-attack-monitor-v2.sh | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 9c0cc49..699ed37 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2587,17 +2587,16 @@ monitor_network_attacks() {
                         CONNECTION_COUNT[$ip]=$count
 
                         # Dynamic threshold based on attack severity + momentum:
-                        # CRITICAL FIX: Changed Tier 0 threshold from 20 to 5
+                        # CRITICAL FIX: Changed Tier 0 threshold from 20 to 3
                         # Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks
                         # With 8-41 total connections spread across IPs, no single IP reaches 20, so ZERO detection
-                        # Fix: Lower Tier 0 to 5 to detect suspicious activity even in small-scale attacks
-                        # This matches Tier 4 minimum of 3 connections for true attacks
-                        # Tier 0: >5 connections (low-level activity, may be distributed)
+                        # Fix: Lower Tier 0 to 3 to detect any suspicious SYN activity
+                        # Tier 0: >3 connections (low-level activity, may be distributed)
                         # Tier 1: >10 connections (75-150 total, moderate DDoS)
                         # Tier 2: >6 connections (150-300 total, major DDoS)
                         # Tier 3: >4 connections (300-500 total, severe DDoS)
                         # Tier 4: >3 connections (500+ total, CRITICAL DDoS)
-                        local threshold=5
+                        local threshold=3
                         case "$attack_severity" in
                             4) threshold=3 ;;  # Critical: Very aggressive (safe for production)
                             3) threshold=4 ;;  # Severe: Aggressive