International Journal of Computer Science Engineering

and Information Technology Research(IJCSEITR)

ISSN 2249-6831
Vol. 3, Issue 1, Mar 2013, 201-210
TJPRC Pvt. Ltd.

DETECTION OF DDoS ATTACKS USING SOURCE IP BASED ENTROPY

JASWINDER SINGH1, MONIKA SACHDEVA2 & KRISHAN KUMAR3
1

Assistant Professor at GTBKIET, Chhapianwali District, Mukatsar, Punjab, India

2

Associate Professor at SBSSTC, Ferozepur District, Ferozepur, Punjab, India

Associate Professor at PTU Main Campus, APIT, Kapurthla District, Jalandhar, Punjab, India

ABSTRACT
There are about nine hundred million people, who use internet now-a-days. They use the internet to communicate
with each other and all over the world, business-men can do their work over the internet, and there is much more to it. In a
nutshell, the world is highly dependent on the Internet. Therefore, the availability of internet is very critical for the socio
economic growth of the society. One of the major security problems in the current Internet, is the denial-of-service (DoS)
attack always attempts to stop the victim from serving legitimate users. Denial-of-service (DoS) and distributed-denial-ofservice (DDoS) attacks cause a serious danger to Internet operation.
An important method for stopping DDoS attacks is to detect attackers and handlers. Detection of DDoS attacks is
a challenging problem for network security. In this paper, the proposed work aims at detecting DDoS attacks in the
network using Entropy Based Anomaly Detection Algorithm. The value of entropy is calculated with respect to time and
packet windows. The results indicate that during normal activity i.e. only legitimate traffic is flowing, value of entropy lies
in a narrow range but in case of attack, it increases or decreases considerably. So, attack can easily be detected.

KEYWORDS: DoS, DDoS, Availability, Entropy, Detection

INTRODUCTION
One of the major security problems in the current Internet, a denial-of-service (DoS) attack always attempts to
stop the victim from serving legitimate users. Denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks
cause a serious danger to Internet operation. A distributed denial-of-service (DDoS) attack is a DoS attack which relies on
multiple compromised hosts in the network to attack the victim [13]. There are mainly two types of DDoS attacks. The first
type of DDoS attacks aim of attacking the victim to force it not to serve legitimate users by exploiting software and
protocol vulnerabilities. The second type of DDoS attack is based on a massive volume of attack traffic, which is known as
a flooding-based DDoS attack. A flooding-based DDoS attack attempts to congest the victim's network bandwidth with
real-looking but unwanted data. As a result, legitimate packets cannot reach the victim due to a lack of bandwidth resource.
DDoS attacks are comprised of packet streams from disparate sources. These attacks engage the power of a vast
number of coordinated Internet hosts to consume some critical resource at the target and deny the service to legitimate
clients. The traffic is usually difficult to distinguish legitimate packets from attack packets. The attack volume can be
larger than the system can handle. A DDoS victim can suffer from damages ranging from system shutdown and file
corruption, to total or partial loss of services [6]. There are no apparent characteristics of DDoS streams that could be
directly used for their detection and filtering. The attacks achieve their desired effect by the sheer volume of attack packets.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are specific attacks that attempt to
prevent legitimate users from accessing networks, servers, services or other resources. An important method for stopping

202

Jaswinder Singh, Monika Sachdeva & Krishan Kumar

DDoS attacks is to detect attackers and handlers. Attack detection aims to detect DDoS attack in process of an attack and
characterise to discriminate attack traffic from legitimate traffic [15].
Attack detection is responsible for identifying DDoS attacks or attack packets. The False Positive Ratio (FPR) and
False Negative Ratio (FNR) can quantitatively measure the effectiveness of attack detection. False Positive Ratio is given
by the number of packets classified as attack packets (positive) by a detection system that are confirmed to be normal
(negative), divided by the total number of confirmed normal packets. The False Negative Ratio, on the other hand, is given
by the number of packets classified as normal (negative) by a detection system that are confirmed to be attack packets
(positive), divided by total number of confirmed attack packets [26].
Attack detection techniques aims to detect DDoS attacks by monitoring the behavior of the host and network.
They generate profiles for normal usage by analyzing system and network behaviors under normal conditions. Once they
detect an abnormal behavior, they invoke preventive mechanisms, such as filtering or rate-limiting.
According to [7] in order to meet the increasing need for detection and response, researchers face following major
issues:

A stand-alone router on the attack path should automatically recognize that the network is under attack and adjust
its traffic flow to ease the attack impact downstream.

The detection and response techniques should be adaptable to a wide range of network environments, preferably
without significant manual tuning.

Attack detection should be as accurate as possible. False positives can lead to inappropriate responses that cause
denial of service to legitimate users. False negatives result in attacks going unnoticed.

Attack response should employ intelligent packet discard mechanisms to reduce the downstream impact of the
flood while preserving and routing the non-attack packets.
The detection method should be effective against a variety of attack tools available today and also robust against

future attempts by attackers to evade detection.

RELATED WORK
The first well-publicized DDoS attack in the public press was in February 2000. On February 7, Yahoo! was the
victim of a DDoS during which its Internet portal was inaccessible for three hours. On February 8, Amazon, Buy.com,
CNN, and eBay were all hit by DDoS attacks that caused them to either stop functioning completely or slowed them down
significantly. And, on February 9, E*Trade and ZDNet both suffered DDoS attacks. Analysts estimated that during the
three hours Yahoo was down, it suffered a loss of e-commerce and advertising revenue that amounted to about $500,000.
According to book seller Amazon.com, its widely publicized attack resulted in a loss of $600,000 during the 10 hours it
was down. During their DDoS attacks, Buy.com went from 100% availability to 9.4%, while CNN.com's users went down
to below 5% of normal volume and Zdnet.com and E*Trade.com were virtually unreachable.
Laura Feinstein, Dan Schnackenberg, Ravindra Balupari, Darrell Kindred in 2003 [7] developed methods to
identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes. Jian Yuan
and Kevin Mills in 2005 [12] proposed a method for early attack detection. Using only a few observation points, proposed
method can monitor the macroscopic effect of DDoS flooding attacks. George Nychis, Vyas Sekar, David G. Andersen,
Hyong Kim and Hui Zhang in 2008 [11] proposed that the time series of entropy values of the address and port

Detection of DDoS Attacks Using Source IP Based Entropy

203

distributions are strongly correlated with each other and provide very similar anomaly detection capabilities. B. B. Gupta,
Manoj Misra and R. C. Joshi in 2008 [9] proposed a novel framework that deals with the detection of variety of DDoS
attacks by monitoring propagation of abrupt traffic changes inside ISP Domain and then characterizes flows that carry
attack traffic. Two statistical metrics namely, Volume and Flow are used as parameters to detect DDoS attacks. Anusha J.
in 2011 [1] proposed a scheme to find out the source of the attack with the help of entropy variation in dynamic by
calculating the packet size, which shows the variation between normal and DDOS attack traffic, which is fundamentally
different from commonly used packet marking techniques.

EXPERIMENT SETUP
Preprocessing of Datasets
For conducting all the experiments firstly the environment is created using the data analysis tools for
preprocessing of the real time data sets. The preprocessing of data sets is performed by using the traffic analysis tools. The
tools used for traffic analysis are: Libtrace Traffic Analysis tool and CoralReef Software Suite.
Experiment Methodology
In order to implement the detection methodology, the environment is created by installing various required
softwares i.e. CoralReef, Automake, Libpcap, Libtrace. After that in order to flow legitimate real time traffic in the
environment, we have explored various NZIX datasets and finalize one for use in the experiments. These files are
preprocessed with special traffic analysis tool software, called Libtrace. Libtrace is used to read compressed and heavy size
files easily with their tools. Libtrace has number of tools like Traceconvert, Tracereport, Tracesummary, Tracemerge,
Tracesplit etc for conversion of files from one format to another, merging and splitting of files. With the help of Libtrace,
these files are preprocessed easily and converted into the required format. Then the entropy of only legitimates packets is
calculated.
Next in order to identify the DDoS attack we have mix the attack traffic with legitimate traffic. So, for generating
the attack traffic in the network we have choose CAIDA data sets. Various CAIDA datasets are explored and one most
suitable for our experiments is finalized. These files are preprocessed by using traffic analysis tool CoralReef and data is
retrieved in appropriate format. Then we have mixed the attack traffic with the legitimate traffic. And again the Entropy of
mixed traffic is calculated. With the help of PERL programming language, selected data is retrieved from NZIX and
CAIDA trace files and used as input files to the program for computing entropy. The change in the value of the entropy
indicates that there is an attack in the network.
Evaluation Metric
Entropy is computed in order to detect the DDoS attack in a network. Entropy can be defined as measurement of
the randomness and uniformity of the IP addresses. Entropy can be calculated as:
n
H = ( p i log 2 p i )
i =1

(1)

Where pi is the value of probability i.e. frequency of occurrence of each unique symbol divided by total number of
symbols.
Source IP address based entropy can be calculated for anomaly base attack detection. Source IP address based
entropy is also called 32-bit entropy. In our proposed DDoS detection method, we have computed 32-bit entropy.

204

Jaswinder Singh, Monika Sachdeva & Krishan Kumar

DDoS Detection Methodology

Our DDoS detection methodology aims at detecting DDoS attacks in the network using Entropy Based Anomaly
Detection Algorithm. In order to detect the attack in the network, two different approaches are used. In the first, Entropy
with respect to time window is calculated and in the second approach, the Entropy with respect to packet window is
calculated. In the time window approach, entropy of the traffic is calculated with respect to equal time stamps and in the
packet window approach, equal numbers of flowing packets are taken from network traffic to compute the entropy.

RESULTS AND DISCUSSIONS

A number of experiments are conducted in order to check whether the network is under attack or not. An anomaly
based detection method is used to identify the attack in the network. The detection of DDoS attack with the variation in the
value of entropy in our experiments is analysed below.
Entropy w.r.t. Time Window
As shown in fig. 1, x-axis represents the time in seconds and y-axis represents the entropy value with respect to
time. The complete scenario is taken for 10 minutes duration means 600 seconds. Time window is taken as 1 second i.e.
entropy is computed after every 1 second for only legitimate traffic flowing through the network. The value of entropy in
this graph lies within the range 6.0-7.3, that means the graph represents that the value of the entropy lies in the same range
throughout the experiment. There is no heavy variation in the value of entropy. It indicates that there is no attack in the
network.

Figure 1: Entropy of Legitimate Packets w.r.t Time

To illustrate the effects of an attack on the entropy, we examined the traffic of 600 seconds excerpt from the
NZIX data set with an attack traffic excerpt from CAIDA data set comprising 10% of time stamp of total duration, starting
at time 300 seconds and ending at time 360 seconds. In this attack, IP source addresses are chosen at random from a
uniform distribution; we will focus on source-address-based detection. Before the attack begins, source address entropy
measurements fall entirely within the range 6.0-7.3. During the attack, the entropy decreases by approximately 4 and
reaches near about 2.0. Any maximum-entropy threshold setting between 2.1 and 3.3 would detect this attack without
generating any false-positives.
In figure 2, represents the scenario, in which we examined both legitimate and attack traffic flowing through the
network for same duration with time stamp 2 seconds i.e. Entropy for both legitimate and attack traffic is computed after
every 2 seconds. During the time from 1 second to 300 seconds, the value of entropy in this graph lies within the range 6.37.4 and time from 300 seconds to 360 seconds, the value of entropy falls down within the range 2.3 to 3.8 and again the
value of entropy again lies in narrow range 6.3 to 7.4 during the time period from 360 seconds to 600 seconds. In this
scenario, 600 times entropy is computed during total duration. The values of entropy are shown in graph. It indicate that

Detection of DDoS Attacks Using Source IP Based Entropy

205

when the value of entropy lies between 6.1 to 7.2, then there is no attack in the network and when entropy values falls
down , then there is an attack in the network. This graph represents that the attack is occurred between time periods 300
seconds to 360 seconds, during this time attack traffic is flowing through the network.

Figure 2: Entropy w.r.t. Time (Time Window=2 Seconds)

As shown in fig. 3, the entropy is calculated by taking time window of 5 seconds. As compare to fig. 2, line in this
graph (indicates the value of entropy w.r.t. time) is thin because the value of entropy is computed after every 5 seconds. It
means that entropy is computed 120 times in this scenario where as in previous scenario 300 times entropy values shown
i.e. more congested, more values on same space. As a result, in fig. 3, entropy values represented as thick line.

Figure 3: Entropy w.r.t. Time (Time Window=5 Seconds)

In figure3 scenario shows that during attack time, the value of entropy lies in the range between 2.4 to 3.9,
otherwise the value of entropy lies between ranges 7.0 to 7.6 when only legitimate traffic is flowing through the network.
Entropy w.r.t. Packet Window
In figure 4, x-axis represents the packet count and y-axis represents the entropy value with respect to packet.
Again the scenario is taken for 600 seconds, as discussed in previous section.

Figure 4: Entropy of Legitimate Traffic w.r.t. Packet Window

206

Jaswinder Singh, Monika Sachdeva & Krishan Kumar

There are 9050000 packets are flowing through the network during this time. In this scenario, entropy is computed
w.r.t. packet count (no. of packets). Packet count is taken as 100 packets, so entropy is computed after every 100 packets.
During this time span, 90500 times entropy is computed and shown in graph, so the graph becomes more congested and
values represented with solid and thick line as compared to previous section. In this graph, the value of entropy lies
between the ranges 3.0 to 6.1, when only legitimate traffic is flowing through the network.
In figure 5, packet window is taken as 1000 packets i.e. entropy is computed after every 1000 packets. There are
9050 times entropy is computed and shown on graph, so the graph becomes less congested and values represented with
more thin line as compared to previous figure. The value of entropy in this graph lies within the range 5.2-7.1, when
normal traffic is flowing through the network and when value falls down and lies between the range 2.3-2.9, then there is
an attack.

Figure 5: Entropy w.r.t. Packet Count (Window Size= 1000 Packets)

Similarly, in figure 6, entropy is computed after every 10,000 packets. So there are 905 times entropy is computed
and shown on graph, which shows very thin line as compared to previous fig. 6. The value of entropy in this graph lies
within the range 7.0-7.5, when normal traffic is flowing through the network and when value falls down and lies between
the range 2.8-3.9, then there is an attack.

Figure 6: Entropy w.r.t. Packet Count (Window Size= 10,000 Packets)

CONCLUSIONS
As objective of this paper is to propose a framework to detect the DDoS attack using real time attack traces as
well as legitimate traces. After identification of different types of DDoS detection methods, Anomaly based detection
method is selected. Source IP address based entropy is used to identify DDoS attack in the network. Through our
experimentation we observed that:

Detection of DDoS Attacks Using Source IP Based Entropy

207

While a network is not under attack the value of Entropy for various packets fall in a narrow range.

While the network is under DDoS attack, the value of Entropy decreases in a detectable manner due to high
volume DDoS attack.

REFERENCES
1.

Anusha, J. (2011). Entropy Based Detection of DDOS Attacks, International Journal of Soft Computing and
Engineering (IJSCE), Vol. 1, pp. 564-567.

2.

CAIDA Datasets, Available at: http://www.caida.org/data/passive/ddos-20070804_134936.pcap.gz [last accessed

February, 2012]

3.

Carl, G., Kesidis, G., Brooks, R. R. and Rai, S. (2006). Denial-of-Service Attack- Detection Techniques,
Published by the IEEE Computer Society, pp.82-89.

4.

CoralReef Documentation, Available at: http://www.caida.org/tools/measurement/coralreef/doc. [last accessed

April, 2012]

5.

DDoS History In Brief, Available at: http://www.anml.iu.edu/ddos/history.html. [last accessed January, 2010]

6.

Douligeris, C. and Mitrokotsa, A. (2004). DDoS attacks and defense mechanisms: classification and state-of-theart, ELSEVIER Journal of Computer Networks, vol.44, No.5, pp. 643-666.

7.

Feinstein, L., Schnackenberg, D., Balupari R. and Kindred, D. (2003). Statistical Approaches to DDoS Attack
Detection and Response, Proceedings of the DARPA Information Survivability Conference and Exposition
(DISCEX03), Washington, DC, USA, Vol. 1, pp. 303-314.

8.

Fernandez, G. M., Daz-Verdejo, J. E. and Garcia-Teodoro, P. (2008). Evaluation of a low-rate DoS attack against
application servers, Computers & Security, Vol. 27, ISSN: 0167-4048, pp. 335-354.

9.

Gupta, B. B., Misra, M., and Joshi, R. C. (2008). An ISP Level Solution to Combat DDoS Attacks using
Combined Statistical Based Approach, Journal of Information Assurance and Security 2, pp.102-110.

10. Koutepas, G., Stamatelopoulos, F. and Maglaris, B. (2004). Distributed Management Architecture for Cooperative
Detection and Reaction to DDOS Attacks, Journal of Network and Systems Management, Volume 12, Issue 1,
pp.73-94.
11. Nychis, G., Sekar, V., Andersen, D. G., Kim, H. and ZhangS, H. (2008). An Empirical Evaluation of Entropybased Traffic Anomaly Detection, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement,
pp.151-156.
12. Yuan, J., and Mills, K. (2005). Monitoring the Macroscopic Effect of DDoS Flooding Attacks, IEEE Transactions
on Dependable and Secure Computing, Vol.2, No.4, pp.277-288.
13. You, Y., (2007). A Defense Framework for Flooding-based DDoS Attacks, Masters Thesis, Queen's University
Kingston, Ontario, Canada.
14. Wang, F., Wang, H., Wang, X. and Su, J. (2012). A new multistage approach to detect subtle DDoS attacks,
Journal Mathematical and Computer Modelling, Volume 55, Issues 1-2, pp. 198-213.

208

Jaswinder Singh, Monika Sachdeva & Krishan Kumar

15. Sachdeva, M., Singh, G., Kumar, K., and Singh, K. (2010). Measuring Impact of DDOS Attacks on Web
Services, Journal of Information Assurance and Security 5, pp. 392-400.
16. Sachdeva, M., Singh, G., Kumar, K. and Singh, K. (2010). DDoS Incidents and their Impact: A Review,
International Arab Journal of Information Technology, Vol. 7, No. 1, pp. 14-20.
17. Sachdeva, M., Singh, G. and Kumar, K. (2011). Deployment of Distributed Defense against DDoS Attacks in ISP
Domain, International Journal of Computer Applications (IJCA), Vol. 15, No .2, pp. 25-31.
18. Sachdeva, M., Singh, G., Kumar, K. and Singh K. (2009). A Comprehensive Survey of Distributed DDoS
Attacks, International Journal of Computer Science and Network Security, Vol. 9, No. 12, pp. 7-15.
19. Peng, T., Leckie, C. and Ramamohanarao, K. (2007). Survey of Network-Based Defense Mechanisms Countering
the DoS and DDoS Problems, ACM Computing Surveys, Vol. 39, No. 1, Article 3, pp. 553-557.
20. Peng T., Leckie C. and Ramamohanarao, K. (2003). Protection from Distributed Denial of Service Attacks Using
History-Based IP filtering, In Proceedings of ICC2003, USA, pp. 482-486.
21. NZIX Datasets, Available at: http://www.wand.net.nz/wits/nzix/2/ 20000709-000000.gz [last accessed March,
2012].
22. Mirkovic, J., and Reiher, P. (2005). D-WARD: Source-End Defense Against Flooding DDoS Attacks, IEEE
Transactions on Dependable and Secure Computing.
23. Mirkovic, J., Arikan, E., Wei, S., Fahmy, S., Thomas, R.,and Reiher, P. (2006). Benchmarks for DDoS Defense
Evaluation, Proceedings of the IEEE AFCEA MILCOM, pp. 1-10.
24. Mirkovic, J., Prier, G., Reiher, P. (2002). Attacking DDoS at the source, Proceedings of ICNP -2002, Paris,
France, pp. 312-321.
25. Libtrace Documentation, Available at: http://research.wand.net.nz/software/libtrace.php [last accessed May,
2012].
26. Cheng, C. M., Kung, H. T. and Tan, K. S. (2002) (2002). Use of spectral analysis in defense against DoS attacks,
Proceedings of IEEE GLOBECOM 2002, Taipei, Taiwan, pp. 2143-2148.

AUTHORS DETAILS

Jaswinder Singh has done B.Tech. Computer Science & Engineering from Punjab Technical University Jalandhar,
Punjab, India in year 2006. He has done M.Tech. Computer Science & Engineering from Punjab Technical University,
Jalandhar, Punjab, India in 2012. Currently, he is an Assistant Professor in CSE Department at GTBKIET, Chhapianwali,
Malout, Punjab, India. His research interests include Distributed Denial-of-Service and Design and analysis of algorithms.

Detection of DDoS Attacks Using Source IP Based Entropy

209

Dr. Monika Sachdeva has done B.Tech. Computer Science and Engineering from National Institute of Technology NIT,
Jalandhar in 1997. She finished her MS software systems from BITS Pilani in 2002. She finished his Ph. D. from
Department of Computer Science & Engineering at Guru Nanak Dev University, Amritsar in 2012. Currently she is an
Associate Professor & H.O.D. in CSE Department at SBS College of Engineering & Technology, Ferozepur, Punjab, India.
Her research interests include Web Services, Distributed Denial-of-Service, and Design and Analysis of algorithms.

Dr. Krishan Kumar has done B.Tech. Computer Science and Engineering from National Institute of Technology NIT,
Hamirpur in 1995. He finished his MS Software Systems from BITS Pilani in 2001. In Feb. 2008, he finished his Ph. D.
from Department of Electronics & Computer Engineering at Indian Institute of Technology, Roorkee. Currently, he is an
Associate Professor & H.O.D in CSE Department at PIT Punjab Technical University, Jalandhar, Punjab, India. His
general research Interests are in the areas of Information Security and Computer Networks. Specific research interests
include Intrusion Detection, Protection from Internet Attacks, Web performance and Network architecture/protocols.