5 Major Intelligence Enhancements:
1. SMART WHITELISTING
- Checks if IP has 5+ ESTABLISHED connections
- These are legitimate users completing TCP handshake
- Skips SYN flood detection entirely for active users
- Prevents false positives on busy sites
2. GEOGRAPHIC CLUSTERING
- Tracks countries of all attacking IPs
- If 5+ attackers from same country → Marks as "hostile country"
- All future IPs from that country get +10 score bonus
- Detects coordinated nation-state or regional botnet attacks
- Tagged as: HOSTILE-GEO
3. ASN CLUSTERING (Infrastructure Tracking)
- Extracts ASN (Autonomous System Number) from ISP data
- If 3+ attackers from same ASN → Marks as "hostile ASN"
- All future IPs from that ASN get +15 score bonus
- Identifies botnet using same hosting provider/cloud
- Example: 5 IPs all from "Hetzner AS24940" = Coordinated
- Tagged as: HOSTILE-ASN
4. HTTP ATTACK CORRELATION
- IPs with existing HTTP attacks (SQLI, XSS, RCE, LFI, etc.)
- Get +25 bonus when detected in SYN flood
- Indicates sophisticated multi-vector attacker
- These IPs reach auto-block threshold faster
- Tagged as: HTTP-ATTACKER
5. ESTABLISHED CONNECTION FILTER
- Before processing SYN_RECV, checks for ESTABLISHED state
- IPs with 5+ active connections = legitimate traffic
- Eliminates false positives from high-traffic users
- Corporate gateways, CDNs, legitimate crawlers protected
Intelligence Tag Examples:
Low sophistication botnet:
[12:34:56] 1.2.3.4 | Score:45 [MEDIUM] | 💥SYN_FLOOD | Conns:8 | DDoS:T2 BOTNET
High sophistication coordinated attack:
[12:34:56] 5.6.7.8 | Score:85 [HIGH] | 💥SYN_FLOOD | Conns:12 | DDoS:T3 ACCEL BOTNET MULTI-VECTOR HTTP-ATTACKER HOSTILE-ASN
How It Works Together:
Example Attack Scenario:
- 512 total SYN_RECV detected
- 40 IPs attacking, 25 from China, 15 from Hetzner AS24940
- 3 IPs also doing SQLI attacks
Detection Flow:
1. Tier 4 triggered (500+ total SYN)
2. After 5th Chinese IP detected → China marked hostile
3. After 3rd Hetzner IP detected → AS24940 marked hostile
4. Next Chinese IP: Base score +10 (HOSTILE-GEO)
5. Next Hetzner IP: Base score +15 (HOSTILE-ASN)
6. SQLI attacker doing SYN flood: +25 bonus (HTTP-ATTACKER)
7. Combined bonuses accelerate blocking by 20-30%
Files Created (temp directory):
- attack_countries - List of all attacking country codes
- hostile_countries - Countries with 5+ attackers
- attack_asns - List of all attacking ASNs
- hostile_asns - ASNs with 3+ attackers
- threat_enrich_{ip} - GeoIP/ASN data per IP
Benefits:
- Faster blocking of coordinated attacks
- Identifies botnet infrastructure patterns
- Protects legitimate high-traffic users
- Reveals attack attribution (country/hosting)
- Multi-vector attackers prioritized for blocking
Status: ✅ Ready for sophisticated botnet detection
CRITICAL FIX for botnet-style attacks
USER REPORT:
"512 SYN_RECV connections but live monitor only shows 2 IPs"
ROOT CAUSE:
Threshold was hardcoded at >20 connections per IP. This works for
focused attacks (one IP, many connections) but FAILS for distributed
DDoS where 50+ IPs each send 5-15 connections.
Example from user's attack:
- 512 total SYN_RECV connections
- Spread across 40+ attacker IPs
- Top attacker: 107 packets (likely <20 active connections)
- Result: NONE detected, server getting hammered
SOLUTION - Dynamic Threshold:
1. Total SYN_RECV Detection (line 2226)
Count total SYN_RECV across all IPs
If > 100 total → distributed_attack mode activated
2. Adaptive Thresholds (lines 2247-2253)
NORMAL MODE: threshold = 20 connections
- Focused attack (1-2 IPs)
- High bar to avoid false positives
DISTRIBUTED MODE: threshold = 5 connections
- Botnet attack (many IPs)
- Catches participants in coordinated attack
- Triggers when total > 100
DETECTION EXAMPLES:
Focused Attack (unchanged behavior):
- 1 IP with 150 SYN_RECV
- Total: 150, threshold: 20
- Result: 1 IP detected, blocked
Distributed Botnet (NEW):
- 50 IPs each with 10 SYN_RECV
- Total: 500, threshold: 5 (distributed mode)
- Result: ALL 50 IPs detected, reputation tracked
- Progressive blocking as scores accumulate
User's Attack (512 total):
- distributed_attack = 1 (512 > 100)
- threshold = 5
- All IPs with >5 connections now tracked
- Likely catches 30-40 of the attackers
This allows catching both attack patterns without flooding
the system with false positives during normal traffic.
Fixed php-optimizer.sh:
- Changed 'q) Quit' to '0) Exit' with RED color
- Updated case handler to use '0' instead of 'q|Q'
Fixed live-attack-monitor-v2.sh (2 menus):
1. show_blocking_menu:
- Changed 'Cancel' to 'Back' with RED 0
2. show_security_hardening_menu:
- Changed 'q) Return to Monitor' to '0) Back' with RED color
- Updated case handler to use '0' instead of 'q|Q'
Progress: 3/9 menus fixed
Remaining: bot-analyzer (2), malware-scanner (1), live-attack-monitor (2), acronis-logs (1)
cschantz