Fix established_conns parsing + increase Tier 4 DDoS scoring for instant blocking
Bug 1: Line 2363 integer expression error Error: [: 0\n0: integer expression expected Cause: grep -c with || echo 0 was outputting multiple lines Fix: Changed to grep | wc -l with empty check Bug 2: Tier 4 DDoS (512 SYN) only scoring 55 points, not auto-blocking Problem: 500+ connection attacks getting detected but not blocked Analysis: Base: 15 points Old Tier 4: +25 points Momentum: +15 points Total: 55 points (need 80 for auto-block) Fix: Increased Tier 4 severity bonus from +25 to +50 New scoring for 512 SYN attack: Base: 15 Tier 4: +50 (DOUBLED) Rapid Accel: +15 Total: 80 points → INSTANT AUTO-BLOCK on first detection Also adjusted other tiers proportionally: Tier 1: +5 → +8 Tier 2: +10 → +15 Tier 3: +15 → +30 Tier 4: +25 → +50 Rationale: - 500+ SYN_RECV is extreme attack - Should block immediately, not wait for persistence - User reported active 512-connection attack not blocking - Now blocks on first 15-second detection cycle
This commit is contained in:
cschantz
@@ -2359,7 +2359,8 @@ monitor_network_attacks() {
|
||||
hits=$((hits + 1))
|
||||
|
||||
# Smart whitelisting: Skip IPs with successful established connections
|
||||
local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0")
|
||||
local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l)
|
||||
[ -z "$established_conns" ] && established_conns=0
|
||||
if [ "$established_conns" -ge 5 ]; then
|
||||
# IP has 5+ established connections = legitimate traffic
|
||||
continue
|
||||
@@ -2462,11 +2463,12 @@ monitor_network_attacks() {
|
||||
|
||||
# Distributed attack severity bonus
|
||||
# Higher severity = more dangerous, boost scores
|
||||
# Tier 4 (500+ SYN) is extreme - should auto-block immediately
|
||||
case "$attack_severity" in
|
||||
4) conn_bonus=$((conn_bonus + 25)) ;; # Critical DDoS
|
||||
3) conn_bonus=$((conn_bonus + 15)) ;; # Severe DDoS
|
||||
2) conn_bonus=$((conn_bonus + 10)) ;; # Major DDoS
|
||||
1) conn_bonus=$((conn_bonus + 5)) ;; # Moderate DDoS
|
||||
4) conn_bonus=$((conn_bonus + 50)) ;; # Critical DDoS (INSTANT BLOCK)
|
||||
3) conn_bonus=$((conn_bonus + 30)) ;; # Severe DDoS
|
||||
2) conn_bonus=$((conn_bonus + 15)) ;; # Major DDoS
|
||||
1) conn_bonus=$((conn_bonus + 8)) ;; # Moderate DDoS
|
||||
esac
|
||||
|
||||
# Attack momentum bonus (growing attack = more dangerous)
|
||||
|
||||
@@ -2359,7 +2359,8 @@ monitor_network_attacks() {
|
||||
hits=$((hits + 1))
|
||||
|
||||
# Smart whitelisting: Skip IPs with successful established connections
|
||||
local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0")
|
||||
local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l)
|
||||
[ -z "$established_conns" ] && established_conns=0
|
||||
if [ "$established_conns" -ge 5 ]; then
|
||||
# IP has 5+ established connections = legitimate traffic
|
||||
continue
|
||||
@@ -2462,11 +2463,12 @@ monitor_network_attacks() {
|
||||
|
||||
# Distributed attack severity bonus
|
||||
# Higher severity = more dangerous, boost scores
|
||||
# Tier 4 (500+ SYN) is extreme - should auto-block immediately
|
||||
case "$attack_severity" in
|
||||
4) conn_bonus=$((conn_bonus + 25)) ;; # Critical DDoS
|
||||
3) conn_bonus=$((conn_bonus + 15)) ;; # Severe DDoS
|
||||
2) conn_bonus=$((conn_bonus + 10)) ;; # Major DDoS
|
||||
1) conn_bonus=$((conn_bonus + 5)) ;; # Moderate DDoS
|
||||
4) conn_bonus=$((conn_bonus + 50)) ;; # Critical DDoS (INSTANT BLOCK)
|
||||
3) conn_bonus=$((conn_bonus + 30)) ;; # Severe DDoS
|
||||
2) conn_bonus=$((conn_bonus + 15)) ;; # Major DDoS
|
||||
1) conn_bonus=$((conn_bonus + 8)) ;; # Moderate DDoS
|
||||
esac
|
||||
|
||||
# Attack momentum bonus (growing attack = more dangerous)
|
||||
|
||||
Reference in New Issue
Block a user