cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
690 Commits 2 Branches 0 Tags
3b17a601000630bc4778870a536c53768e624ac6
Commit Graph

56 Commits

Author SHA1 Message Date
cschantz 5fbed6ae4c Adjust DDoS thresholds for production web servers 
Raised minimum thresholds to prevent false positives on busy websites:

Previous (too aggressive for web servers):
- Tier 4: >2 connections
- Tier 3: >3 connections
- Tier 2: >5 connections
- Tier 1: >8 connections
- Minimum: 2

New (production-safe):
- Tier 4: >3 connections (500+ total SYN)
- Tier 3: >4 connections (300-500 total)
- Tier 2: >6 connections (150-300 total)
- Tier 1: >10 connections (75-150 total)
- Minimum: 3

Rationale:
Web servers handle legitimate high traffic with brief SYN_RECV spikes.
Corporate NAT, mobile users, and APIs can cause 2-3 SYN_RECV legitimately.
Minimum of 3 prevents false positives while still catching distributed attacks.

Your 512-connection attack still triggers Tier 4 with threshold 3,
detecting 40+ attacking IPs while protecting legitimate traffic.
 2025-12-24 20:07:25 -05:00
cschantz f4b3a2401c Sync v2 with advanced DDoS intelligence 2025-12-24 20:04:56 -05:00
cschantz 198abeb564 Sync v2 with multi-tier distributed DDoS enhancements 2025-12-24 20:01:27 -05:00
cschantz 7719cfecd1 Add distributed DDoS detection with dynamic thresholds 
CRITICAL FIX for botnet-style attacks

USER REPORT:
"512 SYN_RECV connections but live monitor only shows 2 IPs"

ROOT CAUSE:
Threshold was hardcoded at >20 connections per IP. This works for
focused attacks (one IP, many connections) but FAILS for distributed
DDoS where 50+ IPs each send 5-15 connections.

Example from user's attack:
- 512 total SYN_RECV connections
- Spread across 40+ attacker IPs
- Top attacker: 107 packets (likely <20 active connections)
- Result: NONE detected, server getting hammered

SOLUTION - Dynamic Threshold:

1. Total SYN_RECV Detection (line 2226)
   Count total SYN_RECV across all IPs
   If > 100 total → distributed_attack mode activated

2. Adaptive Thresholds (lines 2247-2253)
   NORMAL MODE: threshold = 20 connections
   - Focused attack (1-2 IPs)
   - High bar to avoid false positives

   DISTRIBUTED MODE: threshold = 5 connections
   - Botnet attack (many IPs)
   - Catches participants in coordinated attack
   - Triggers when total > 100

DETECTION EXAMPLES:

Focused Attack (unchanged behavior):
- 1 IP with 150 SYN_RECV
- Total: 150, threshold: 20
- Result: 1 IP detected, blocked

Distributed Botnet (NEW):
- 50 IPs each with 10 SYN_RECV
- Total: 500, threshold: 5 (distributed mode)
- Result: ALL 50 IPs detected, reputation tracked
- Progressive blocking as scores accumulate

User's Attack (512 total):
- distributed_attack = 1 (512 > 100)
- threshold = 5
- All IPs with >5 connections now tracked
- Likely catches 30-40 of the attackers

This allows catching both attack patterns without flooding
the system with false positives during normal traffic.
 2025-12-24 19:57:22 -05:00
cschantz aadc3be64a Sync v2 with main: Add all missing auto-blocking and SYN flood enhancements 
- Added missing quick_block_ip() function
- Added INSTANT_BLOCK for score 100
- Added AUTO_BLOCK for score >=80
- Added full SYN flood reputation tracking
- Added intelligent threat scoring (persistence, escalation, threat intel)
- v2 was 7 days behind main, now synced
 2025-12-24 19:54:57 -05:00
cschantz db187f8f0f Fix menu standards: Add RED 0 back buttons to 3 menus 
Fixed php-optimizer.sh:
- Changed 'q) Quit' to '0) Exit' with RED color
- Updated case handler to use '0' instead of 'q|Q'

Fixed live-attack-monitor-v2.sh (2 menus):
1. show_blocking_menu:
   - Changed 'Cancel' to 'Back' with RED 0
2. show_security_hardening_menu:
   - Changed 'q) Return to Monitor' to '0) Back' with RED color
   - Updated case handler to use '0' instead of 'q|Q'

Progress: 3/9 menus fixed
Remaining: bot-analyzer (2), malware-scanner (1), live-attack-monitor (2), acronis-logs (1)
 2025-12-17 01:31:06 -05:00