From b87c1bd751ebe46ed65b7f763ccbe66250c965e3 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 22:34:54 -0500 Subject: [PATCH] CRITICAL FIX: Enable auto-mitigation of SYN attacks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Root Cause: SYN detection writes to individual IP files (ip_1_1_1_1) but auto_mitigation_engine() ONLY reads from centralized ip_data file. This architectural mismatch meant: - SYN-detected IPs were scored and flagged - But auto-mitigation never saw them - IPs with score 80+ were never automatically blocked! Solution: - Added write_ip_data_to_file() call to persist SYN data to centralized ip_data - write_ip_data_to_file() appends to ip_data atomically - auto_mitigation_engine() now sees and blocks SYN attacks at score 80+ Impact: - SYN attacks are now properly auto-blocked within 5-10 seconds of detection - Completes the SYN attack lifecycle: detect → score → persist → block Line Changed: 2905 Type: Data flow connectivity bug Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index a71ac67..b20bdf1 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2901,7 +2901,12 @@ monitor_network_attacks() { # Cap at 100 [ "$score" -gt 100 ] && score=100 - # Write to file for main process + # CRITICAL FIX: Write to centralized ip_data file (not individual ip_*.files) + # auto_mitigation_engine() reads from $TEMP_DIR/ip_data, not individual files + # Without this, SYN-detected IPs are never auto-blocked! + write_ip_data_to_file "$ip" "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" 2>/dev/null & + + # Also write to individual file for debugging/tracking echo "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" > "$ip_file" # Store block reasons for auto-mitigation