An Entropy Based Method to Detect Spoofed Denial of Service (DoS) Attacks

Abstract

A Spoofed Denial of Service (DoS) System is described that analyzes a level of entropy in distributions of source and destination IP address aggregate flow share, for IP traffic traversing one or more links. A source IP address aggregate entropy time series and a destination IP address aggregate entropy time series are derived and then adaptive thresholding is applied to each time series to identify upper and lower entropy thresholds for current measurements. Given current traffic traversing the set of monitored links, current source and destination entropy values are computed on a near real-time basis. If the entropy of the current distribution of destination IP address aggregates flow share falls below the destination entropy time series' identified lower entropy threshold, a possible Denial of Service attack may be declared. If, in addition, the decline in entropy in the destination entropy time series is accompanied by a rise in the entropy of the current distribution of source IP address aggregates flow share and the current source entropy is greater than the source entropy time series' identified upper entropy threshold, a Spoofed Denial of Service attack may be declared. We document an application of this approach to identifying Spoofed Denial of Service attacks on Peering Links monitored by the AT&T Common IP Backbone Tier 1 ISP.