cschantz
5fbed6ae4c
Adjust DDoS thresholds for production web servers
Raised minimum thresholds to prevent false positives on busy websites:
Previous (too aggressive for web servers):
- Tier 4: >2 connections
- Tier 3: >3 connections
- Tier 2: >5 connections
- Tier 1: >8 connections
- Minimum: 2
New (production-safe):
- Tier 4: >3 connections (500+ total SYN)
- Tier 3: >4 connections (300-500 total)
- Tier 2: >6 connections (150-300 total)
- Tier 1: >10 connections (75-150 total)
- Minimum: 3
Rationale:
Web servers handle legitimate high traffic with brief SYN_RECV spikes.
Corporate NAT, mobile users, and APIs can cause 2-3 SYN_RECV legitimately.
Minimum of 3 prevents false positives while still catching distributed attacks.
Your 512-connection attack still triggers Tier 4 with threshold 3,
detecting 40+ attacking IPs while protecting legitimate traffic.
2025-12-24 20:07:25 -05:00
..
2025-12-17 01:34:24 -05:00
2025-12-11 17:01:17 -05:00
2025-11-03 18:21:40 -05:00
2025-12-03 20:12:20 -05:00
2025-12-24 20:07:25 -05:00
2025-12-24 20:07:25 -05:00
2025-12-23 16:59:46 -05:00
2025-12-04 20:39:08 -05:00
2025-11-03 18:21:40 -05:00
2025-11-20 15:50:45 -05:00
2025-11-19 20:06:50 -05:00
2025-11-03 18:21:40 -05:00
2025-11-03 18:21:40 -05:00
2025-11-20 15:50:45 -05:00