Abstract
A Spoofed Denial of Service (DoS) System is described that analyzes a level of entropy in distributions of source and destination IP address aggregate flow share, for IP traffic traversing one or more links. A source IP address aggregate entropy time series and a destination IP address aggregate entropy time series are derived and then adaptive thresholding is applied to each time series to identify upper and lower entropy thresholds for current measurements. Given current traffic traversing the set of monitored links, current source and destination entropy values are computed on a near real-time basis. If the entropy of the current distribution of destination IP address aggregates flow share falls below the destination entropy time series’ identified lower entropy threshold, a possible Denial of Service attack may be declared. If, in addition, the decline in entropy in the destination entropy time series is accompanied by a rise in the entropy of the current distribution of source IP address aggregates flow share and the current source entropy is greater than the source entropy time series’ identified upper entropy threshold, a Spoofed Denial of Service attack may be declared. We document an application of this approach to identifying Spoofed Denial of Service attacks on Peering Links monitored by the AT&T Common IP Backbone Tier 1 ISP.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Baker, F. and Savola, P., 2004, Ingress filtering for multihomed networks, RFC 3704.
Barford, P., Kline, J., Plonka, D., and Ron, A., 2002, A signal analysis of network traffic anomalies, Proceedings of 2 nd ACM SIGCOMM Workshop on Internet Measurement: 71- 82.
Bursch, H. and Cheswick, B., 2000, Tracing anonymous packets to their approximate source, Proceedings of the 14 th USENIX Systems Administration Conference (LISA 2000):319-327.
Cisco, Unicast reverse path forwarding,Cisco IOS Release 11.1(17)CC, www.cisco.com/univercd/cc/td/ doc/product/software/ios111/cc111/uni_rpf.pdf
Ferguson, P. and Senie, D., 1998, Network ingress filtering: defeating denial of service attacks which may employ IP source address spoofing, RFC 2827.
Grunswald, P. and Vitany, P., 2004, Shannon information and Kolmogorov complexity, Submitted to IEEE Trans Information Theory.
Internet Assigned Numbers Authority (IANA), 2002, Special-use IPv4 addresses, RFC 3330.
Kim, S.S., Reddy, A.L.N., and Vannucci, M., 2004, Detecting traffic anomalies at the source through aggregate analysis of packet header data, in: NETWORKING 2004, Springer, Berlin, pp. 1047-1059.
Kohler,E., Li,J., Paxson, V., and Shenker, S., 2002, Observed structure of addresses in IP traffic, Proceedings of ACM SIGCOMM Workshop on Internet Measurement:253-266.
Kulkarni, A.B., Bush, S.F., and, Evans, S.C., 2001, Detecting distributed denial of service attacks using Kolmogorov complexity metrics, GE Research & Development Center, Report Number 2001CRD176.
Lakhina, A., Crovella, M., and Diot, C., 2004, Diagnosing network-wide traffic anomalies, SIGCOMM’04 34(4): 219-230.
Lakhina, A., Crovella, M., and Diot, C., 2005, Mining anomalies using traffic feature distributions, SIGCOMM’05: 217-228.
Narus, Narus anomaly detection user guide, 2005, Release 1.1, Document Number 031- 05-1.1.
Park, K. and Lee, H., 2001, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets, SIGCOMM’01 31(4): 15-26.
Peng,T., Leckie, C., and Ramamohanarao, K., 2007, Survey of network-based defense mechanisms countering the DoS and DDoS problems, ACM Computing Surveys 39(1).
Savage, S., Wetherall, D., Karlin, A., and Anderson, T, 2000, Practical network support for IP traceback, SIGCOMM’00, 30(4): 295-306.
Wagner, A. and Plattner, B., 2005, Entropy based worm and anomaly detection in fast IP networks, 14th IEEE International Workshops on Enabling Technologies Infrastructures for Collaborative Enterprise (WET ICE 2005): 172-177.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Ehrlich, W.K., Futamura, K., Liu, D. (2008). An Entropy Based Method to Detect Spoofed Denial of Service (Dos) Attacks. In: Raghavan, S., Golden, B., Wasil, E. (eds) Telecommunications Modeling, Policy, and Technology. Operations Research/Computer Science Interfaces, vol 44. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-77780-1_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-77780-1_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-77779-5
Online ISBN: 978-0-387-77780-1
eBook Packages: Computer ScienceComputer Science (R0)