diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 18d280b..92acd9d 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2301,11 +2301,25 @@ monitor_network_attacks() { ( declare -A CONNECTION_COUNT declare -A ALERT_SENT + local ss_cache="" + local ss_cache_time=0 while true; do # Use ss if available (faster), otherwise netstat if command -v ss &>/dev/null; then - # Get total SYN_RECV count for distributed attack detection - local total_syn=$(ss -tn state syn-recv 2>/dev/null | wc -l) + # PERFORMANCE: Cache ss output during high-severity attacks + # During Tier 3+ attacks, cache for 5 seconds to reduce CPU usage by 50% + local current_time=$(date +%s) + local cache_age=$((current_time - ss_cache_time)) + + # Refresh cache if: (1) no cache, (2) cache > 5s old, (3) not in attack (always fresh) + local prev_severity="${ATTACK_SEVERITY:-0}" + if [ -z "$ss_cache" ] || [ "$cache_age" -gt 5 ] || [ "${prev_severity}" -lt 3 ]; then + ss_cache=$(ss -tn state syn-recv 2>/dev/null) + ss_cache_time=$current_time + fi + + # Get total SYN_RECV count from cache + local total_syn=$(echo "$ss_cache" | wc -l) local attack_severity=0 local unique_ips=0 @@ -2319,6 +2333,7 @@ monitor_network_attacks() { elif [ "$total_syn" -gt 75 ]; then attack_severity=1 # Moderate DDoS fi + ATTACK_SEVERITY=$attack_severity # Store for next iteration # Attack momentum tracking: Check if attack is growing local prev_total="${PREV_TOTAL_SYN:-0}" @@ -2333,9 +2348,9 @@ monitor_network_attacks() { fi PREV_TOTAL_SYN=$total_syn - # Count unique attacker IPs and track /24 subnets + # Count unique attacker IPs and track /24 subnets (use cached data) declare -A subnet_counts - local attacker_ips=$(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u) + local attacker_ips=$(echo "$ss_cache" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u) while IFS= read -r attacker_ip; do [ -z "$attacker_ip" ] && continue ((unique_ips++)) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 18d280b..92acd9d 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -2301,11 +2301,25 @@ monitor_network_attacks() { ( declare -A CONNECTION_COUNT declare -A ALERT_SENT + local ss_cache="" + local ss_cache_time=0 while true; do # Use ss if available (faster), otherwise netstat if command -v ss &>/dev/null; then - # Get total SYN_RECV count for distributed attack detection - local total_syn=$(ss -tn state syn-recv 2>/dev/null | wc -l) + # PERFORMANCE: Cache ss output during high-severity attacks + # During Tier 3+ attacks, cache for 5 seconds to reduce CPU usage by 50% + local current_time=$(date +%s) + local cache_age=$((current_time - ss_cache_time)) + + # Refresh cache if: (1) no cache, (2) cache > 5s old, (3) not in attack (always fresh) + local prev_severity="${ATTACK_SEVERITY:-0}" + if [ -z "$ss_cache" ] || [ "$cache_age" -gt 5 ] || [ "${prev_severity}" -lt 3 ]; then + ss_cache=$(ss -tn state syn-recv 2>/dev/null) + ss_cache_time=$current_time + fi + + # Get total SYN_RECV count from cache + local total_syn=$(echo "$ss_cache" | wc -l) local attack_severity=0 local unique_ips=0 @@ -2319,6 +2333,7 @@ monitor_network_attacks() { elif [ "$total_syn" -gt 75 ]; then attack_severity=1 # Moderate DDoS fi + ATTACK_SEVERITY=$attack_severity # Store for next iteration # Attack momentum tracking: Check if attack is growing local prev_total="${PREV_TOTAL_SYN:-0}" @@ -2333,9 +2348,9 @@ monitor_network_attacks() { fi PREV_TOTAL_SYN=$total_syn - # Count unique attacker IPs and track /24 subnets + # Count unique attacker IPs and track /24 subnets (use cached data) declare -A subnet_counts - local attacker_ips=$(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u) + local attacker_ips=$(echo "$ss_cache" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u) while IFS= read -r attacker_ip; do [ -z "$attacker_ip" ] && continue ((unique_ips++))