diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index f0ca886..d786a72 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2227,8 +2227,10 @@ monitor_network_attacks() { local attack_severity=0 local unique_ips=0 - # Multi-tier distributed DDoS detection - if [ "$total_syn" -gt 300 ]; then + # Multi-tier distributed DDoS detection with adaptive learning + if [ "$total_syn" -gt 500 ]; then + attack_severity=4 # Critical DDoS (new tier) + elif [ "$total_syn" -gt 300 ]; then attack_severity=3 # Severe DDoS elif [ "$total_syn" -gt 150 ]; then attack_severity=2 # Major DDoS @@ -2236,6 +2238,19 @@ monitor_network_attacks() { attack_severity=1 # Moderate DDoS fi + # Attack momentum tracking: Check if attack is growing + local prev_total="${PREV_TOTAL_SYN:-0}" + local attack_momentum=0 + if [ "$total_syn" -gt "$prev_total" ] && [ "$prev_total" -gt 0 ]; then + local growth=$((total_syn - prev_total)) + if [ "$growth" -gt 100 ]; then + attack_momentum=2 # Rapidly accelerating + elif [ "$growth" -gt 30 ]; then + attack_momentum=1 # Accelerating + fi + fi + PREV_TOTAL_SYN=$total_syn + # Count unique attacker IPs and track /24 subnets declare -A subnet_counts local attacker_ips=$(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u) @@ -2250,13 +2265,41 @@ monitor_network_attacks() { # Coordinated botnet detection: 3+ IPs from same /24 local coordinated_attack=0 + declare -A hostile_subnets for subnet in "${!subnet_counts[@]}"; do if [ "${subnet_counts[$subnet]}" -ge 3 ]; then coordinated_attack=1 - break + hostile_subnets[$subnet]=${subnet_counts[$subnet]} fi done + # Subnet-level auto-blocking for severe attacks + # If attack_severity >= 3 AND subnet has 10+ attacking IPs, block entire /24 + if [ "$attack_severity" -ge 3 ]; then + for subnet in "${!hostile_subnets[@]}"; do + local subnet_ip_count=${hostile_subnets[$subnet]} + if [ "$subnet_ip_count" -ge 10 ]; then + # Block entire /24 subnet via IPset + local subnet_cidr="${subnet}.0/24" + if ! grep -q "^${subnet_cidr}\$" "$TEMP_DIR/blocked_subnets" 2>/dev/null; then + echo "$subnet_cidr" >> "$TEMP_DIR/blocked_subnets" + ( + # Add to IPset if available + if command -v ipset &>/dev/null && ipset list blocklist &>/dev/null 2>&1; then + ipset add blocklist "$subnet_cidr" -exist 2>/dev/null + fi + # Also add to CSF + if command -v csf &>/dev/null; then + csf -d "$subnet_cidr" "SUBNET_DDOS:${subnet_ip_count}IPs" 2>/dev/null + fi + ) & + local time_str=$(date +"%H:%M:%S") + echo -e "${CRITICAL_COLOR}[${time_str}] SUBNET_BLOCK | $subnet_cidr | IPs:${subnet_ip_count} | Severity:${attack_severity}${NC}" >> "$TEMP_DIR/recent_events" + fi + fi + done + fi + # Count SYN_RECV connections per IP (sign of SYN flood) while read -r ip count; do # Skip local/private IPs first @@ -2270,23 +2313,35 @@ monitor_network_attacks() { # Track connection count for this IP CONNECTION_COUNT[$ip]=$count - # Dynamic threshold based on attack severity: + # Dynamic threshold based on attack severity + momentum: # Tier 0: >20 connections (normal, focused attack) # Tier 1: >8 connections (75-150 total, moderate DDoS) # Tier 2: >5 connections (150-300 total, major DDoS) - # Tier 3: >3 connections (300+ total, severe DDoS) + # Tier 3: >3 connections (300-500 total, severe DDoS) + # Tier 4: >2 connections (500+ total, CRITICAL DDoS) local threshold=20 case "$attack_severity" in + 4) threshold=2 ;; # Critical: Hyper-aggressive 3) threshold=3 ;; # Severe: Very aggressive 2) threshold=5 ;; # Major: Aggressive 1) threshold=8 ;; # Moderate: Balanced esac - # Coordinated attack bonus: Lower threshold by 2 - if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then - threshold=$((threshold - 2)) + # Attack momentum adaptation: Lower threshold if attack is growing + if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 2 ]; then + threshold=$((threshold - 2)) # Rapidly accelerating attack + elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 2 ]; then + threshold=$((threshold - 1)) # Accelerating attack fi + # Coordinated attack bonus: Lower threshold by 1 (stacks with momentum) + if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 2 ]; then + threshold=$((threshold - 1)) + fi + + # Minimum threshold of 2 to prevent false positives + [ "$threshold" -lt 2 ] && threshold=2 + if [ "$count" -gt "$threshold" ]; then # Only process once per detection window if [ -z "${ALERT_SENT[$ip]}" ]; then @@ -2367,6 +2422,33 @@ monitor_network_attacks() { conn_bonus=15 fi + # Distributed attack severity bonus + # Higher severity = more dangerous, boost scores + case "$attack_severity" in + 4) conn_bonus=$((conn_bonus + 25)) ;; # Critical DDoS + 3) conn_bonus=$((conn_bonus + 15)) ;; # Severe DDoS + 2) conn_bonus=$((conn_bonus + 10)) ;; # Major DDoS + 1) conn_bonus=$((conn_bonus + 5)) ;; # Moderate DDoS + esac + + # Attack momentum bonus (growing attack = more dangerous) + if [ "$attack_momentum" -eq 2 ]; then + conn_bonus=$((conn_bonus + 15)) # Rapidly accelerating + elif [ "$attack_momentum" -eq 1 ]; then + conn_bonus=$((conn_bonus + 8)) # Accelerating + fi + + # Multi-vector attack detection: Check if IP also has HTTP attacks + # This indicates sophisticated attacker (SYN flood + application layer) + local multi_vector=0 + if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then + local existing_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "") + if [[ "$existing_attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then + multi_vector=1 + conn_bonus=$((conn_bonus + 30)) # Multi-vector = very dangerous + fi + fi + # Connection persistence bonus (repeated detections of same IP) # This indicates sustained attack vs transient spike if [ "${hits:-0}" -ge 5 ]; then @@ -2439,11 +2521,19 @@ monitor_network_attacks() { # Log to reputation DB flag_ip_attack "$ip" "SYN_FLOOD" 0 "SYN flood: $count connections" >/dev/null 2>&1 & - # Log event with reputation score + # Log event with reputation score and attack intelligence local time_str=$(date +"%H:%M:%S") local level=$(get_threat_level "$score") local color=$(get_threat_color "$level") - echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | $count SYN_RECV connections${NC}" >> "$TEMP_DIR/recent_events" + + # Build intelligence summary + local intel_tags="" + [ "$attack_severity" -ge 1 ] && intel_tags="${intel_tags}DDoS:T${attack_severity} " + [ "$attack_momentum" -ge 1 ] && intel_tags="${intel_tags}ACCEL " + [ "$coordinated_attack" -eq 1 ] && intel_tags="${intel_tags}BOTNET " + [ "$multi_vector" -eq 1 ] && intel_tags="${intel_tags}MULTI-VECTOR " + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" fi else # Reset alert if connections drop below threshold