guardar_ataque() to log, classify, and optionally block the offending IP.
SYN flood
A SYN flood sends a continuous stream of TCP SYN packets to a target without completing the three-way handshake. The server allocates a half-open connection entry for each unanswered SYN. Once the connection table is exhausted, the server can no longer accept legitimate connections. Detector:detectar_syn_flood(packet)
ids.py
| Property | Value |
|---|---|
| Protocol | TCP |
| Flag filter | S only (pure SYN, no ACK) |
| Threshold | THRESHOLD_SYN_FLOOD = 10 packets in 500 ms |
| Severity | ALTA |
| ML classification | Yes (if IPS mode is active) |
The detector counts packets per source IP inside a 500 ms sliding window. A legitimate browser opening a connection generates one SYN; 10 SYNs from the same IP in half a second is an unambiguous flood signal.
DDoS distribuido
A distributed denial-of-service attack sends a high volume of packets from many source IPs toward a single destination, overwhelming its bandwidth or processing capacity. Because the traffic originates from thousands of hosts, blocking a single IP is insufficient. Detector:detectar_ddos(packet)
ids.py
| Property | Value |
|---|---|
| Protocol | TCP or UDP |
| Counting key | Destination IP (not source) |
| Threshold | THRESHOLD_DDOS = 500 packets in 1 s |
| Severity | ALTA |
| ML classification | Yes |
Unlike the other detectors,
detectar_ddos indexes paquetes_por_ip by destination IP. This lets it aggregate traffic from many sources and fire when the total inbound rate exceeds the threshold — the defining characteristic of a volumetric DDoS.Port scan
Port scanning is a reconnaissance technique where an attacker probes a host for open ports and running services. Tools such as nmap send a SYN to each port and record which ones reply. The IDS detects this by tracking how many distinct destination ports a single source IP has contacted. Detector:detectar_escaneo_puertos(packet)
ids.py
| Property | Value |
|---|---|
| Protocol | TCP |
| Flag filter | S only |
| Counting key | Source IP → set of unique destination ports |
| Threshold | PORT_SCAN_THRESHOLD = 10 unique ports (cumulative per session) |
| Severity | MEDIA |
| ML classification | Yes |
Port counting is cumulative for the session — there is no time window. Once
puertos_por_ip[ip_src] has grown past the threshold, every subsequent SYN from that IP triggers an alert until monitoring is restarted.Posible exploit
Exploit detection watches for connection attempts to a fixed list of ports historically associated with critical vulnerabilities. The list covers protocols that have been the entry point for major malware campaigns (WannaCry via SMB, BlueKeep via RDP, and others). Detector:detectar_exploit(packet)
ids.py
| Port | Protocol | Common exploit |
|---|---|---|
| 21 | FTP | Brute force, anonymous login, CVE-2010-4221 |
| 22 | SSH | Brute force, credential stuffing |
| 23 | Telnet | Cleartext credentials, Mirai botnet |
| 69 | TFTP | Unauthenticated file transfer |
| 135 | MS-RPC | DCOM exploits, CVE-2003-0352 |
| 139 | NetBIOS | SMB relay, legacy Windows shares |
| 445 | SMB | EternalBlue (CVE-2017-0144), WannaCry |
| 3389 | RDP | BlueKeep (CVE-2019-0708), brute force |
| 5900 | VNC | Authentication bypass, CVE-2006-2369 |
| Property | Value |
|---|---|
| Protocol | TCP or UDP |
| Flag filter | S (SYN) or SA (SYN-ACK) only |
| Threshold | None — any connection to a listed port triggers an alert |
| Severity | CRITICA |
| ML classification | Yes |
SQL injection
SQL injection detection works at the application layer by inspecting the raw byte payload of TCP packets. The detector decodes theRaw Scapy layer as UTF-8 and applies a multi-pattern regular expression covering the most common injection techniques.
Detector: detectar_sql_injection(packet)
ids.py
| Pattern | Technique |
|---|---|
SELECT … --, DROP … ; | SQL keyword followed by a comment or terminator |
' OR 1=1 | Authentication bypass |
UNION SELECT | Data extraction from additional tables |
EXEC sp_* / EXEC xp_* | Stored procedure execution (SQL Server) |
; -- | Inline comment to truncate original query |
WAITFOR DELAY | Blind time-based injection (SQL Server) |
sleep(N) | Blind time-based injection (MySQL) |
| Property | Value |
|---|---|
| Protocol | TCP (payload-bearing packets only) |
| Threshold | None — single pattern match triggers alert |
| Severity | CRITICA |
| ML classification | No (usar_ml=False) — the payload analysis is definitive |
ML classification is skipped for SQL injection because the regex match on the raw payload is already high-confidence evidence. Running the ML classifier on top would be redundant and could introduce latency.
UDP flood
A UDP flood saturates a target with high-volume UDP traffic. Because UDP has no handshake, the server must process every datagram (or generate ICMP port-unreachable responses), quickly exhausting bandwidth and CPU. DNS amplification attacks are a common variant. Detector:detectar_udp_flood(packet)
ids.py
| Property | Value |
|---|---|
| Protocol | UDP (primary); also fires on TCP if port is non-zero |
| Counting key | Destination IP |
| Threshold | THRESHOLD_UDP_FLOOD = 500 packets in 1 s |
| Severity | ALTA |
| ML classification | Yes |
detectar_udp_flood and detectar_ddos share the same paquetes_por_ip counter indexed by destination IP and the same 1-second window. On a packet that is both UDP and IP, both detectors evaluate the same count. The UDP flood detector exists to catch UDP-specific saturation patterns that would otherwise be subsumed by the general DDoS detector.