Anti-Raid

Anti-Raid Protection

Discord raids overwhelm your community with coordinated attacks from multiple accounts. SYNTHET's anti-raid system automatically detects multiple attack patterns and triggers intelligent lockdown, quarantine, and verification responses.

What is a Raid Attack?

A Discord raid is a coordinated attack using multiple accounts (often bot networks) to overwhelm your server:

Join Floods

Dozens or hundreds of accounts join in seconds, creating notification spam and overwhelming moderation. May be used as distraction before other attacks.

Message Spam

Coordinated message flooding in channels to bury legitimate conversations. May include links to malware, scams, or inappropriate content.

Mention Spam

Repeated @mentions targeting staff, @everyone, or @here to disrupt and annoy. Creates notification overload.

New Account Patterns

Raids typically use accounts created within hours or minutes of the attack. Account age is a key indicator of malicious intent.

Coordinated Behavior

Multiple accounts with similar names, avatars, or behavior patterns arriving simultaneously. Bot networks have recognizable signatures.

Raid Detection Methods

SYNTHET uses multiple detection techniques to identify raids with minimal false positives:

Member Join Spike Detection

Monitors join rate in real-time. If your server normally gains 5 members per hour but suddenly gains 50 in 2 minutes, this is flagged as suspicious.

Configurable sensitivity: Define what "spike" means for your server size (10 for small servers, 100+ for large).

Message Flood Detection

Tracks messages per channel and per user. Detects when a new user or set of new users post excessive messages in a short time.

Configurable threshold: Alert if 1 user posts 10+ messages in 1 minute, or if multiple users post 50+ total in 1 minute.

New Account Pattern Matching

Analyzes account creation dates during joins. If 80%+ of joining accounts were created within the last 24 hours, this is a strong raid indicator.

Account age threshold: Customize the "suspicious age" cutoff (default: 24 hours old or newer).

Mention Spam Detection

Monitors @mentions per message and per user. Detects coordinated mention spam patterns like every message containing 5+ mentions.

Configurable limit: Alert if single message has 5+ unique mentions, or user averages 3+ mentions per message.

Username Pattern Clustering

Identifies accounts with similar usernames or similar avatar patterns. Bot networks often use naming conventions like "user1234", "user1235", etc.

ML analysis: Pattern matching catches coordinated networks even with slight variations.

Lockdown Mode

When a raid is detected, lockdown mode instantly restricts server capabilities to trusted roles only:

What Lockdown Does

Lockdown temporarily disables dangerous capabilities across the server:

  • New members cannot post messages in any channel
  • New members cannot add reactions
  • New members cannot join voice channels
  • Only verified/trusted roles can send messages in critical channels

Lockdown Scope

Lockdown can be applied server-wide or to specific channels. For precision, you might lock only #general and #announcements while allowing #voice-chat to remain open.

Who Can Trigger Lockdown

Lockdown triggers automatically when raid is detected, or can be manually triggered by:

  • Server owner (always)
  • Members with specific RBAC capability grants
  • Automated raid detection system

Lockdown Duration

Set automatic lockdown duration (default: 15 minutes) or manually lift lockdown once the threat subsides. Configurable per channel/server.

Quarantine System

Suspicious members are automatically assigned a quarantine role that restricts access while you verify their legitimacy:

Auto-Assign Quarantine Role

New accounts matching suspicious patterns (created within 24 hours, joining during raid, etc.) automatically receive the quarantine role. You configure what this role can/cannot do.

Quarantine Permission Set

Typical quarantine permissions:

  • Can view #welcome and #rules channels
  • Cannot send messages or post
  • Cannot use commands except verification commands
  • Cannot join voice channels

Quarantine Verification

Quarantined users can prove legitimacy through CAPTCHA verification, email verification, or require manual approval from a moderator. Once verified, the quarantine role is removed.

Quarantine Duration

Quarantine can be time-limited (auto-lift after 24 hours unless verified) or indefinite until manual removal. Expired quarantines are tracked in the audit log.

Account Age Filtering

Discord account age is one of the strongest indicators of raid participation. SYNTHET lets you configure age-based filtering:

Age Threshold Configuration

Define what counts as "new account":

  • Instant (0 hours): Created in the last 0 hours (only active, coordinated attacks)
  • Same Day (24 hours): Created today (default, catches most raids)
  • Same Week (7 days): Created this week (strict, high false positives)

Actions on New Accounts

Choose what happens when a new account joins:

  • Log Only: Record the join, but allow normal access (informational)
  • Quarantine: Auto-assign quarantine role (recommended)
  • Kick: Automatically kick new accounts (strict, may kick legitimate users)
  • Ban: Automatically ban new accounts (very strict, use carefully)

Spike-Based Adjustments

During raids, age thresholds can automatically become stricter. If join rate exceeds spike threshold, the system might automatically quarantine all accounts created in the last 7 days instead of 24 hours.

CAPTCHA Verification

CAPTCHA verification proves that a quarantined account is human-controlled, allowing them to exit quarantine:

How Verification Works

Quarantined members receive a DM with a CAPTCHA challenge. Upon successful completion, they're automatically removed from quarantine and gain full access.

Customizable Challenges

Choose verification difficulty:

  • Image CAPTCHA: Classic "click the traffic lights" challenge
  • Math Challenge: Simple math questions (adds slight humanness verification)
  • Puzzle Slider: Drag-to-verify style challenges

Verification Timeout

Set how long users have to complete verification (default: 24 hours). After timeout, they're kicked or permanently quarantined.

Note: CAPTCHAs aren't foolproof against sophisticated attackers, but they effectively stop automated bot raids.

Alert Channels

Configure where raid alerts are sent so your moderation team is immediately notified:

Alert Channel Selection

Choose which channels receive alerts. Commonly #mod-alerts, #security, or #admin-log. You can send different severity levels to different channels.

Alert Content

Each alert includes:

  • Raid detection type (join spike, message flood, etc.)
  • Severity level (Medium, High, Critical)
  • Number of accounts involved
  • Actions SYNTHET took (lockdown triggered, members quarantined, etc.)
  • Quick action buttons (lift lockdown, view members, export report)

DM Notifications

Optionally send urgent alerts (Critical severity) directly to the server owner via DM so they're notified even if offline.

Auto-Recovery After Raid

Once a raid ends, SYNTHET automatically restores normal operations:

Raid Subsidence Detection

SYNTHET monitors join rates and message rates. When activity returns to normal baselines for a configured duration (default: 5 minutes), the raid is considered over.

Automatic Lockdown Lift

If lockdown was auto-triggered and raid subsides, lockdown is automatically lifted after the configured duration (default: 15 minutes). Manual lockdowns require manual lifting.

Quarantine Remains

Members remain quarantined even after lockdown lifts. This allows manual review of suspicious accounts. Quarantined members can self-verify via CAPTCHA or wait for mod approval.

Notifications to Mods

When recovery happens, mods are notified so they can review quarantined members and clean up if necessary.

Dashboard Configuration

Configure all anti-raid settings from the Security dashboard (Protection → Anti-Raid):

Detection Type Toggles: Enable/disable each detection method (join spike, message flood, mention spam, new accounts, username clustering)
Sensitivity Sliders: Adjust detection sensitivity from Low (fewer false positives) to High (catches more raids). Sensitivity scales thresholds automatically.
Lockdown Triggers: Choose which detection types trigger lockdown (default: join spike + message flood + mention spam)
Quarantine Role: Searchable dropdown to select which role represents quarantine. Role is auto-created if it doesn't exist.
Alert Channels: Searchable dropdown to select which channels receive raid alerts and at what severity thresholds.
Account Age Configuration: Set age threshold and action (quarantine, kick, or log only)

Best Practices

  • 1.Start with High sensitivity: Better to quarantine legitimate users than miss a raid. Legitimate users can verify with CAPTCHA.
  • 2.Enable all detection methods: Different raids have different signatures. Layered detection catches more attacks.
  • 3.Keep alert channels active: Have mods check #raid-alerts regularly. Quick response times matter during active raids.
  • 4.Regular verification review: Check the quarantine list weekly and approve legitimate members or kick suspicious ones.
  • 5.Test lockdown procedures: Ensure your team knows how to lift lockdown and communicate with users during raids.
  • 6.Monitor false positives: Track quarantine rates. If legitimate users are quarantined frequently, reduce sensitivity slightly.
  • 7.Advertise verification: Let community know new members can verify with CAPTCHA to skip quarantine (encourages adoption).
← Anti-NukeSecurity Dashboard UI Guide →