Oryx includes an automatic threat detection system that monitors ingress traffic for signs of a SYN flood attack. No configuration is required — detection runs in a background thread from the moment Oryx starts capturing packets.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/pythops/oryx/llms.txt
Use this file to discover all available pages before exploring further.
How detection works
Oryx uses a sliding window approach:- A background thread wakes every 5 seconds and counts ingress packets until it has accumulated a window of 100,000 packets.
- Within that window, it counts the number of ingress TCP packets with the SYN flag set.
- If more than 95% of the 100,000-packet window consists of SYN packets, a SYN flood threat is recorded.
Detection only begins after at least 100,000 ingress packets have been observed. Before that threshold is reached, the Alert section shows “No threats or attacks have been detected.”
Visual indicator
The Alert tab in the section header changes appearance based on detection state:| State | Appearance |
|---|---|
| No threats | Dimmed gray label |
| Threat detected (focused) | Red background, flashing |
| Threat detected (unfocused) | Red text, flashing |
Threat details
When a SYN flood is detected, the Alert section displays the top source IP addresses contributing to the flood, ranked by the number of SYN packets sent from each address. This helps you identify the primary attacking sources at a glance. If no threats are present, the section displays:No threats or attacks have been detected.