Sync v2 with advanced DDoS intelligence
This commit is contained in:
cschantz
@@ -2227,8 +2227,10 @@ monitor_network_attacks() {
|
|||||||
local attack_severity=0
|
local attack_severity=0
|
||||||
local unique_ips=0
|
local unique_ips=0
|
||||||
|
|
||||||
# Multi-tier distributed DDoS detection
|
# Multi-tier distributed DDoS detection with adaptive learning
|
||||||
if [ "$total_syn" -gt 300 ]; then
|
if [ "$total_syn" -gt 500 ]; then
|
||||||
|
attack_severity=4 # Critical DDoS (new tier)
|
||||||
|
elif [ "$total_syn" -gt 300 ]; then
|
||||||
attack_severity=3 # Severe DDoS
|
attack_severity=3 # Severe DDoS
|
||||||
elif [ "$total_syn" -gt 150 ]; then
|
elif [ "$total_syn" -gt 150 ]; then
|
||||||
attack_severity=2 # Major DDoS
|
attack_severity=2 # Major DDoS
|
||||||
@@ -2236,6 +2238,19 @@ monitor_network_attacks() {
|
|||||||
attack_severity=1 # Moderate DDoS
|
attack_severity=1 # Moderate DDoS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Attack momentum tracking: Check if attack is growing
|
||||||
|
local prev_total="${PREV_TOTAL_SYN:-0}"
|
||||||
|
local attack_momentum=0
|
||||||
|
if [ "$total_syn" -gt "$prev_total" ] && [ "$prev_total" -gt 0 ]; then
|
||||||
|
local growth=$((total_syn - prev_total))
|
||||||
|
if [ "$growth" -gt 100 ]; then
|
||||||
|
attack_momentum=2 # Rapidly accelerating
|
||||||
|
elif [ "$growth" -gt 30 ]; then
|
||||||
|
attack_momentum=1 # Accelerating
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
PREV_TOTAL_SYN=$total_syn
|
||||||
|
|
||||||
# Count unique attacker IPs and track /24 subnets
|
# Count unique attacker IPs and track /24 subnets
|
||||||
declare -A subnet_counts
|
declare -A subnet_counts
|
||||||
local attacker_ips=$(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u)
|
local attacker_ips=$(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u)
|
||||||
@@ -2250,13 +2265,41 @@ monitor_network_attacks() {
|
|||||||
|
|
||||||
# Coordinated botnet detection: 3+ IPs from same /24
|
# Coordinated botnet detection: 3+ IPs from same /24
|
||||||
local coordinated_attack=0
|
local coordinated_attack=0
|
||||||
|
declare -A hostile_subnets
|
||||||
for subnet in "${!subnet_counts[@]}"; do
|
for subnet in "${!subnet_counts[@]}"; do
|
||||||
if [ "${subnet_counts[$subnet]}" -ge 3 ]; then
|
if [ "${subnet_counts[$subnet]}" -ge 3 ]; then
|
||||||
coordinated_attack=1
|
coordinated_attack=1
|
||||||
break
|
hostile_subnets[$subnet]=${subnet_counts[$subnet]}
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Subnet-level auto-blocking for severe attacks
|
||||||
|
# If attack_severity >= 3 AND subnet has 10+ attacking IPs, block entire /24
|
||||||
|
if [ "$attack_severity" -ge 3 ]; then
|
||||||
|
for subnet in "${!hostile_subnets[@]}"; do
|
||||||
|
local subnet_ip_count=${hostile_subnets[$subnet]}
|
||||||
|
if [ "$subnet_ip_count" -ge 10 ]; then
|
||||||
|
# Block entire /24 subnet via IPset
|
||||||
|
local subnet_cidr="${subnet}.0/24"
|
||||||
|
if ! grep -q "^${subnet_cidr}\$" "$TEMP_DIR/blocked_subnets" 2>/dev/null; then
|
||||||
|
echo "$subnet_cidr" >> "$TEMP_DIR/blocked_subnets"
|
||||||
|
(
|
||||||
|
# Add to IPset if available
|
||||||
|
if command -v ipset &>/dev/null && ipset list blocklist &>/dev/null 2>&1; then
|
||||||
|
ipset add blocklist "$subnet_cidr" -exist 2>/dev/null
|
||||||
|
fi
|
||||||
|
# Also add to CSF
|
||||||
|
if command -v csf &>/dev/null; then
|
||||||
|
csf -d "$subnet_cidr" "SUBNET_DDOS:${subnet_ip_count}IPs" 2>/dev/null
|
||||||
|
fi
|
||||||
|
) &
|
||||||
|
local time_str=$(date +"%H:%M:%S")
|
||||||
|
echo -e "${CRITICAL_COLOR}[${time_str}] SUBNET_BLOCK | $subnet_cidr | IPs:${subnet_ip_count} | Severity:${attack_severity}${NC}" >> "$TEMP_DIR/recent_events"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
# Count SYN_RECV connections per IP (sign of SYN flood)
|
# Count SYN_RECV connections per IP (sign of SYN flood)
|
||||||
while read -r ip count; do
|
while read -r ip count; do
|
||||||
# Skip local/private IPs first
|
# Skip local/private IPs first
|
||||||
@@ -2270,23 +2313,35 @@ monitor_network_attacks() {
|
|||||||
# Track connection count for this IP
|
# Track connection count for this IP
|
||||||
CONNECTION_COUNT[$ip]=$count
|
CONNECTION_COUNT[$ip]=$count
|
||||||
|
|
||||||
# Dynamic threshold based on attack severity:
|
# Dynamic threshold based on attack severity + momentum:
|
||||||
# Tier 0: >20 connections (normal, focused attack)
|
# Tier 0: >20 connections (normal, focused attack)
|
||||||
# Tier 1: >8 connections (75-150 total, moderate DDoS)
|
# Tier 1: >8 connections (75-150 total, moderate DDoS)
|
||||||
# Tier 2: >5 connections (150-300 total, major DDoS)
|
# Tier 2: >5 connections (150-300 total, major DDoS)
|
||||||
# Tier 3: >3 connections (300+ total, severe DDoS)
|
# Tier 3: >3 connections (300-500 total, severe DDoS)
|
||||||
|
# Tier 4: >2 connections (500+ total, CRITICAL DDoS)
|
||||||
local threshold=20
|
local threshold=20
|
||||||
case "$attack_severity" in
|
case "$attack_severity" in
|
||||||
|
4) threshold=2 ;; # Critical: Hyper-aggressive
|
||||||
3) threshold=3 ;; # Severe: Very aggressive
|
3) threshold=3 ;; # Severe: Very aggressive
|
||||||
2) threshold=5 ;; # Major: Aggressive
|
2) threshold=5 ;; # Major: Aggressive
|
||||||
1) threshold=8 ;; # Moderate: Balanced
|
1) threshold=8 ;; # Moderate: Balanced
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Coordinated attack bonus: Lower threshold by 2
|
# Attack momentum adaptation: Lower threshold if attack is growing
|
||||||
if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then
|
if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 2 ]; then
|
||||||
threshold=$((threshold - 2))
|
threshold=$((threshold - 2)) # Rapidly accelerating attack
|
||||||
|
elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 2 ]; then
|
||||||
|
threshold=$((threshold - 1)) # Accelerating attack
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Coordinated attack bonus: Lower threshold by 1 (stacks with momentum)
|
||||||
|
if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 2 ]; then
|
||||||
|
threshold=$((threshold - 1))
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Minimum threshold of 2 to prevent false positives
|
||||||
|
[ "$threshold" -lt 2 ] && threshold=2
|
||||||
|
|
||||||
if [ "$count" -gt "$threshold" ]; then
|
if [ "$count" -gt "$threshold" ]; then
|
||||||
# Only process once per detection window
|
# Only process once per detection window
|
||||||
if [ -z "${ALERT_SENT[$ip]}" ]; then
|
if [ -z "${ALERT_SENT[$ip]}" ]; then
|
||||||
@@ -2367,6 +2422,33 @@ monitor_network_attacks() {
|
|||||||
conn_bonus=15
|
conn_bonus=15
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Distributed attack severity bonus
|
||||||
|
# Higher severity = more dangerous, boost scores
|
||||||
|
case "$attack_severity" in
|
||||||
|
4) conn_bonus=$((conn_bonus + 25)) ;; # Critical DDoS
|
||||||
|
3) conn_bonus=$((conn_bonus + 15)) ;; # Severe DDoS
|
||||||
|
2) conn_bonus=$((conn_bonus + 10)) ;; # Major DDoS
|
||||||
|
1) conn_bonus=$((conn_bonus + 5)) ;; # Moderate DDoS
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Attack momentum bonus (growing attack = more dangerous)
|
||||||
|
if [ "$attack_momentum" -eq 2 ]; then
|
||||||
|
conn_bonus=$((conn_bonus + 15)) # Rapidly accelerating
|
||||||
|
elif [ "$attack_momentum" -eq 1 ]; then
|
||||||
|
conn_bonus=$((conn_bonus + 8)) # Accelerating
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Multi-vector attack detection: Check if IP also has HTTP attacks
|
||||||
|
# This indicates sophisticated attacker (SYN flood + application layer)
|
||||||
|
local multi_vector=0
|
||||||
|
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
|
||||||
|
local existing_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
|
||||||
|
if [[ "$existing_attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then
|
||||||
|
multi_vector=1
|
||||||
|
conn_bonus=$((conn_bonus + 30)) # Multi-vector = very dangerous
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Connection persistence bonus (repeated detections of same IP)
|
# Connection persistence bonus (repeated detections of same IP)
|
||||||
# This indicates sustained attack vs transient spike
|
# This indicates sustained attack vs transient spike
|
||||||
if [ "${hits:-0}" -ge 5 ]; then
|
if [ "${hits:-0}" -ge 5 ]; then
|
||||||
@@ -2439,11 +2521,19 @@ monitor_network_attacks() {
|
|||||||
# Log to reputation DB
|
# Log to reputation DB
|
||||||
flag_ip_attack "$ip" "SYN_FLOOD" 0 "SYN flood: $count connections" >/dev/null 2>&1 &
|
flag_ip_attack "$ip" "SYN_FLOOD" 0 "SYN flood: $count connections" >/dev/null 2>&1 &
|
||||||
|
|
||||||
# Log event with reputation score
|
# Log event with reputation score and attack intelligence
|
||||||
local time_str=$(date +"%H:%M:%S")
|
local time_str=$(date +"%H:%M:%S")
|
||||||
local level=$(get_threat_level "$score")
|
local level=$(get_threat_level "$score")
|
||||||
local color=$(get_threat_color "$level")
|
local color=$(get_threat_color "$level")
|
||||||
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | $count SYN_RECV connections${NC}" >> "$TEMP_DIR/recent_events"
|
|
||||||
|
# Build intelligence summary
|
||||||
|
local intel_tags=""
|
||||||
|
[ "$attack_severity" -ge 1 ] && intel_tags="${intel_tags}DDoS:T${attack_severity} "
|
||||||
|
[ "$attack_momentum" -ge 1 ] && intel_tags="${intel_tags}ACCEL "
|
||||||
|
[ "$coordinated_attack" -eq 1 ] && intel_tags="${intel_tags}BOTNET "
|
||||||
|
[ "$multi_vector" -eq 1 ] && intel_tags="${intel_tags}MULTI-VECTOR "
|
||||||
|
|
||||||
|
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# Reset alert if connections drop below threshold
|
# Reset alert if connections drop below threshold
|
||||||
|
|||||||
Reference in New Issue
Block a user