Skip to main content
SpringerLink
Log in

An Entropy Based Method to Detect Spoofed Denial of Service (Dos) Attacks

  • Chapter
Telecommunications Modeling, Policy, and Technology

Part of the book series: Operations Research/Computer Science Interfaces ((ORCS,volume 44))

Abstract

A Spoofed Denial of Service (DoS) System is described that analyzes a level of entropy in distributions of source and destination IP address aggregate flow share, for IP traffic traversing one or more links. A source IP address aggregate entropy time series and a destination IP address aggregate entropy time series are derived and then adaptive thresholding is applied to each time series to identify upper and lower entropy thresholds for current measurements. Given current traffic traversing the set of monitored links, current source and destination entropy values are computed on a near real-time basis. If the entropy of the current distribution of destination IP address aggregates flow share falls below the destination entropy time series’ identified lower entropy threshold, a possible Denial of Service attack may be declared. If, in addition, the decline in entropy in the destination entropy time series is accompanied by a rise in the entropy of the current distribution of source IP address aggregates flow share and the current source entropy is greater than the source entropy time series’ identified upper entropy threshold, a Spoofed Denial of Service attack may be declared. We document an application of this approach to identifying Spoofed Denial of Service attacks on Peering Links monitored by the AT&T Common IP Backbone Tier 1 ISP.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Baker, F. and Savola, P., 2004, Ingress filtering for multihomed networks, RFC 3704.

    Google Scholar 

  2. Barford, P., Kline, J., Plonka, D., and Ron, A., 2002, A signal analysis of network traffic anomalies, Proceedings of 2 nd ACM SIGCOMM Workshop on Internet Measurement: 71- 82.

    Google Scholar 

  3. Bursch, H. and Cheswick, B., 2000, Tracing anonymous packets to their approximate source, Proceedings of the 14 th USENIX Systems Administration Conference (LISA 2000):319-327.

    Google Scholar 

  4. Cisco, Unicast reverse path forwarding,Cisco IOS Release 11.1(17)CC, www.cisco.com/univercd/cc/td/ doc/product/software/ios111/cc111/uni_rpf.pdf

    Google Scholar 

  5. Ferguson, P. and Senie, D., 1998, Network ingress filtering: defeating denial of service attacks which may employ IP source address spoofing, RFC 2827.

    Google Scholar 

  6. Grunswald, P. and Vitany, P., 2004, Shannon information and Kolmogorov complexity, Submitted to IEEE Trans Information Theory.

    Google Scholar 

  7. Internet Assigned Numbers Authority (IANA), 2002, Special-use IPv4 addresses, RFC 3330.

    Google Scholar 

  8. Kim, S.S., Reddy, A.L.N., and Vannucci, M., 2004, Detecting traffic anomalies at the source through aggregate analysis of packet header data, in: NETWORKING 2004, Springer, Berlin, pp. 1047-1059.

    Google Scholar 

  9. Kohler,E., Li,J., Paxson, V., and Shenker, S., 2002, Observed structure of addresses in IP traffic, Proceedings of ACM SIGCOMM Workshop on Internet Measurement:253-266.

    Google Scholar 

  10. Kulkarni, A.B., Bush, S.F., and, Evans, S.C., 2001, Detecting distributed denial of service attacks using Kolmogorov complexity metrics, GE Research & Development Center, Report Number 2001CRD176.

    Google Scholar 

  11. Lakhina, A., Crovella, M., and Diot, C., 2004, Diagnosing network-wide traffic anomalies, SIGCOMM’04 34(4): 219-230.

    Google Scholar 

  12. Lakhina, A., Crovella, M., and Diot, C., 2005, Mining anomalies using traffic feature distributions, SIGCOMM’05: 217-228.

    Google Scholar 

  13. Narus, Narus anomaly detection user guide, 2005, Release 1.1, Document Number 031- 05-1.1.

    Google Scholar 

  14. Park, K. and Lee, H., 2001, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets, SIGCOMM’01 31(4): 15-26.

    Google Scholar 

  15. Peng,T., Leckie, C., and Ramamohanarao, K., 2007, Survey of network-based defense mechanisms countering the DoS and DDoS problems, ACM Computing Surveys 39(1).

    Google Scholar 

  16. Savage, S., Wetherall, D., Karlin, A., and Anderson, T, 2000, Practical network support for IP traceback, SIGCOMM’00, 30(4): 295-306.

    Article  Google Scholar 

  17. Wagner, A. and Plattner, B., 2005, Entropy based worm and anomaly detection in fast IP networks, 14th IEEE International Workshops on Enabling Technologies Infrastructures for Collaborative Enterprise (WET ICE 2005): 172-177.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. AT &T Labs, 200 Laurel avenue, Middletown, NJ 07748, USA

    Willa K. Ehrlich, Kenichi Futamura & Danielle Liu

Authors
  1. Willa K. Ehrlich
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kenichi Futamura
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Danielle Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Maryland, College Park, MD, USA

    S. Raghavan  & Bruce Golden  & 

  2. American University, Washington, DC, USA

    Edward Wasil

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer Science+Business Media, LLC

About this chapter

Cite this chapter

Ehrlich, W.K., Futamura, K., Liu, D. (2008). An Entropy Based Method to Detect Spoofed Denial of Service (Dos) Attacks. In: Raghavan, S., Golden, B., Wasil, E. (eds) Telecommunications Modeling, Policy, and Technology. Operations Research/Computer Science Interfaces, vol 44. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-77780-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-77780-1_6

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-77779-5

  • Online ISBN: 978-0-387-77780-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation