Bug #3 (CRITICAL): Whitelisting checks used 'continue' which skipped:
- All scoring logic
- hits increment
- Final write to persistent storage
Result: Legitimate IPs or IPs with 20+ established connections NEVER
accumulate hits, breaking adaptive threshold system permanently.
Fix: Instead of 'continue' (skip everything), use skip_scoring flag to:
1. Skip threat intelligence gathering
2. Skip SYN_FLOOD attack scoring
3. Skip reputation bonuses
4. BUT STILL increment hits
5. AND STILL write to persistent storage
This way:
- Whitelisted IPs don't get scored/blocked
- But their hits still increment for historical tracking
- On next attempt, if whitelist is removed, they're blocked with higher hits
- Adaptive threshold still works
Example: Legitimate IP with 25 established connections
Scan 1: Load hits=0, passes threshold, skip_scoring=1 (whitelisted)
Don't score, but increment hits 0→1, write hits=1
Scan 2: Load hits=1, passes threshold, skip_scoring=1 (still whitelisted)
Don't score, but increment hits 1→2, write hits=2
...
Scan 5: Load hits=4, threshold now 2 (lowered), skip_scoring=1
Don't score, increment hits 4→5, write hits=5
If in scan 6 whitelist is removed: Load hits=5, threshold=1,
DO score, and since hits=5, will be blocked!
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cschantz
26d9559676