This action might not be possible to undo. Are you sure you want to continue?
Entropy Variations
Shui Yu, Member, IEEE, Wanlei Zhou, Senior Member, IEEE,
Robin Doss, Member, IEEE, and Weijia Jia, Senior Member, IEEE
Abstract—Distributed DenialofService (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the
Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and
efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on
entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking
techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantages—it is
memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of
extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method.
Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a largescale attack network with
thousands of zombies.
Index Terms—DDoS, IP traceback, entropy variation, flow.
Ç
1 INTRODUCTION
I
T is an extraordinary challenge to traceback the source of
Distributed DenialofService (DDoS) attacks in the
Internet. In DDoS attacks, attackers generate a huge amount
of requests to victims through compromised computers
(zombies), with the aim of denying normal service or
degrading of the quality of services. It has been a major
threat to the Internet since year 2000, and a recent survey [1]
on the largest 70 Internet operators in the world demon
strated that DDoS attacks are increasing dramatically, and
individual attacks are more strong and sophisticated.
Furthermore, the survey also found that the peak of
40 gigabit DDoS attacks nearly doubled in 2008 compared
with the previous year. The key reason behind this
phenomena is that the network security community does
not have effective and efficient traceback methods to locate
attackers as it is easy for attackers to disguise themselves by
taking advantages of the vulnerabilities of the World Wide
Web, such as the dynamic, stateless, and anonymous nature
of the Internet [2], [3]. IP traceback means the capability of
identifying the actual source of any packet sent across the
Internet. Because of the vulnerability of the original design
of the Internet, we may not be able to find the actual hackers
at present. In fact, IP traceback schemes are considered
successful if they can identify the zombies from which the
DDoS attack packets entered the Internet. Research on
DDoS detection [4], [5], [6], [7], [8], [9], mitigation [10], [11],
[12], and filtering [13], [14], [15], [16], [17], [18] has been
conducted pervasively. However, the efforts on IP traceback
are limited.
A number of IP traceback approaches have been
suggested to identify attackers [19], [20], and there are
two major methods for IP traceback, the probabilistic packet
marking (PPM) [21], [22], [23], [24] and the deterministic
packet marking (DPM) [25], [26], [27], [28]. Both of these
strategies require routers to inject marks into individual
packets. Moreover, the PPM strategy can only operate in a
local range of the Internet (ISP network), where the
defender has the authority to manage. However, this kind
of ISP networks is generally quite small, and we cannot
traceback to the attack sources located out of the ISP
network. The DPM strategy requires all the Internet routers
to be updated for packet marking. However, with only
25 spare bits available in as IP packet, the scalability of DPM
is a huge problem [22]. Moreover, the DPM mechanism
poses an extraordinary challenge on storage for packet
logging for routers [29]. Therefore, it is infeasible in practice
at present. Further, both PPM and DPM are vulnerable to
hacking [30], which is referred to as packet pollution.
IP traceback methods should be independent of packet
pollution and various attack patterns. In our previous work
[31], [32] on DDoS attack detection, we compared the packet
number distributions of packet flows, which are out of the
control of attackers once the attack is launched, and we
found that the similarity of attack flows is much higher than
the similarity among legitimate flows, e.g., flash crowds.
Entropy rate, the entropy growth rate as the length of a
stochastic sequence increases [33], was employed to find the
similarity between two flows on the entropy growth pattern
[31], and relative entropy, an abstract distance between two
412 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 3, MARCH 2011
. S. Yu, W. Zhou, and R. Doss are with the School of Information
Technology, Deakin University, Burwood, VIC 3125, Australia.
Email: {syu, wanlei, rchell}@deakin.edu.au.
. W. Jia is with the Department of Computer Science, City University of
Hong Kong, 83 Tat Chee Ave., Kowloon, Hong Kong.
Email: itjia@cityu.edu.hk.
Manuscript received 27 Oct. 2008; revised 20 July 2009; accepted 21 Oct.
2009; published online 30 Apr. 2010.
Recommended for acceptance by M. Singhal.
For information on obtaining reprints of this article, please send email to:
tpds@computer.org, and reference IEEECS Log Number TPDS2008100433.
Digital Object Identifier no. 10.1109/TPDS.2010.97.
10459219/11/$26.00 ß 2011 IEEE Published by the IEEE Computer Society
probabilistic mass distributions [33], was taken to measure
the instant difference between two flows [32].
In this paper, we propose a novel mechanism for IP
traceback using information theoretical parameters, and
there is no packet marking in the proposed strategy; we,
therefore, can avoid the inherited shortcomings of the
packet marking mechanisms. We categorize packets that are
passing through a router into flows, which are defined by
the upstream router where a packet came from, and the
destination address of the packet. During nonattack
periods, routers are required to observe and record entropy
variations of local flows. In this paper, we use flow entropy
variation or entropy variation interchangeably. Once a DDoS
attack has been identified, the victim initiates the following
pushback process to identify the locations of zombies: the
victim first identifies which of its upstream routers are in
the attack tree based on the flow entropy variations it has
accumulated, and then submits requests to the related
immediate upstream routers. The upstream routers identify
where the attack flows came from based on their local
entropy variations that they have monitored. Once the
immediate upstream routers have identified the attack
flows, they will forward the requests to their immediate
upstream routers, respectively, to identify the attacker
sources further; this procedure is repeated in a parallel
and distributed fashion until it reaches the attack source(s)
or the discrimination limit between attack flows and
legitimate flows is satisfied.
Our analysis, experiments, and simulations demonstrate
that the proposed traceback mechanism is effective and
efficient compared with the existing methods [23], [34]. In
particular, it possesses the following advantages:
. The proposed strategy is fundamentally different
from the existing PPM or DPM traceback mechan
isms, and it outperforms the available PPM and
DPM methods. Because of this essential change, the
proposed strategy overcomes the inherited draw
backs of packet marking methods, such as limited
scalability, huge demands on storage space, and
vulnerability to packet pollutions.
. The implementation of the proposed method brings
no modifications on current routing software. Both
PPM and DPM require update on the existing
routing software, which is extremely hard to achieve
on the Internet. On the other hand, our proposed
method can work independently as an additional
module on routers for monitoring and recording
flow information, and communicating with its
upstream and downstream routers when the push
back procedure is carried out.
. The proposed method will be effective for future
packet flooding DDoS attacks because it is indepen
dent of traffic patterns. Some previous works [23]
depend heavily on traffic patterns to conduct their
traceback. For example, they expected that traffic
patterns obey Poisson distribution or Normal dis
tribution. However, traffic patterns have no impact
on the proposed scheme; therefore, we can deal with
any complicated attack patterns, even legitimate
traffic pattern mimicking attacks.
. The proposed method can archive realtime trace
back to attackers. Once the shortterm flow informa
tion is in place at routers, and the victim notices that
it is under attack, it will start the traceback
procedure. The workload of traceback is distributed,
and the overall traceback time mainly depends on the
network delays between the victim and the attackers.
The rest of the paper is organized as follows: Section 2
describes the background of DDoS attacks and the related
work which has been done so far on IP traceback. Our
entropy variationbased IP traceback model is proposed in
Section 3. Detailed analysis of the proposed scheme is
conducted in Section 4. The related algorithms are designed
in Section 5. Section 6 focuses on the performance analysis
for every aspect of the proposed mechanism with Section 7
summarizing the paper and discussing future work.
2 BACKGROUND AND RELATED WORK
2.1 Background of DDoS Attacks
DDoS attacks are targeted at exhausting the victim’s
resources, such as network bandwidth, computing power,
and operating system data structures. To launch a DDoS
attack, the attacker(s) first establishes a network of compu
ters that will be used to generate the huge volume of traffic
needed to deny services to legitimate users of the victim. To
create this attack network, attackers discover vulnerable
hosts on the network. Vulnerable hosts are those that are
either running no antivirus or outofdate antivirus soft
ware, or those that have not been properly patched. These
are exploited by the attackers who use the vulnerability to
gain access to these hosts. The next step for the attacker is to
install new programs (known as attack tools) on the
compromised hosts of the attack network. The hosts running
these attack tools are known as zombies, and they can be used
to carry out any attack under the control of the attacker.
Numerous zombies together form an army or botnet [3], [35].
There are two categories of DDoS attacks, typical DDoS
attacks and Distributed Reflection DenialofService
(DRDoS) attacks. In a typical DDoS attack, the master
computer orders the zombies to run the attack tools to send
huge volume of packets to the victim, to exhaust the
victim’s resources. Unlike the typical DDoS attacks, the
army of a DRDoS attack consists of master zombies, slave
zombies, and reflectors. The difference in this type of attack
is that slave zombies are led by master zombies to send a
stream of packets with the victim’s IP address as the source
IP address to other uninfected machines (known as
reflectors), exhorting these machines to connect with the
victim. Then the reflectors send the victim a great volume of
traffic, as a reply to its exhortation for the opening of a new
connection, because they believe that the victim was the
host that asked for it.
Understanding the features of DDoS attack is critical for
effective attack traceback. However, we have limited real
data sets about DDoS attacks. The current knowledge of
DDoS attack can be classified as follows: inference based on
partial information [34], real network emulation [35] or
simulations [36], and real attack and defence between two
cooperate research groups [37].
YU ET AL.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 413
2.2 Related Work of IP Traceback
It is obvious that hunting down the attackers (zombies), and
further to the hackers, is essential in solving the DDoS
attack challenge. The summary of the existing DDoS
traceback methods can be found in [38] and [39]. In general,
the traceback strategies are based on packet marking.
Packet marking methods include the PPM and the DPM.
The PPM mechanism tries to mark packets with the router’s
IPaddress information by probability on the local router, and
the victim can reconstruct the paths that the attack packets
went through. The PPMmethod is vulnerable to attackers, as
pointed out in [30], as attackers can send spoofed marking
information to the victim to mislead the victim. The accuracy
of PPM is another problem because the marked messages by
the routers who are closer to the leaves (which means far
away from the victim) could be overwritten by the down
stream routers on the attack tree [21]. At the same time, most
of the PPMalgorithms suffer fromthe storage space problem
to store large amount of marked packets for reconstructing
the attack tree [22], [24]. Moreover, PPM requires all the
Internet routers to be involved in marking.
Based on the PPM mechanism, Law et al. tried to
traceback the attackers using traffic rates of packets, which
were targeted on the victim [23]. The model bears a very
strong assumption: the traffic pattern has to obey the Poisson
distribution, which is not always true in the Internet.
Moreover, it inherits the disadvantages of the PPM mechan
ism: large amount of marked packets are expected to
reconstruct the attack diagram, centralized processing on
the victim, and it is easy be fooled by attackers using packet
pollution.
The deterministic packet marking mechanism tries to
mark the spare space of a packet with the packet’s initial
router’s information, e.g., IP address. Therefore, the receiver
can identify the source location of the packets once it has
sufficient information of the marks. The major problem of
DPM is that it involves modifications of the current routing
software, and it may require very large amount of marks for
packet reconstruction. Moreover, similar to PPM, the DPM
mechanism cannot avoid pollution from attackers.
Savage et al. [24] first introduced the probabilitybased
packet marking method, node appending, which appends
each node’s address to the end of the packet as it travels
from the attack source to the victim. Obviously, it is
infeasible when the path is long or there is insufficient
unused space in the original packet. The authors proposed
the node sampling algorithm, which records the router
address to the packet with probability, j, on the routers of
the attack path. Then, the probability of a packet marked
by a router d that hops away from the victim is jð1 ÀjÞ
dÀ1
.
Based on the number of marked packets, we can reconstruct
the attack path. However, it requires large number of
packets to improve the accuracy of the attack path
reconstruction. Therefore, an edge sampling algorithm
was proposed to mark the start router address and end
router address of an attack link and the distance between
the two ends. The edge sampling algorithm fixed the
problems of the node sampling algorithm to some extent.
Based on the PPM mechanism, in [23], the traffic that
targeted the victim was measured to construct the attack
diagram, and then identified where the attackers were
located. They focused on the traffic flows, which end at the
victim, and therefore, there was a tree which was rooted at
the victim. For a router on the attack tree, the outgoing flow
included two parts: the locally generated flows and the
transit flows from the upstream router(s) of the attack tree. If
A
1
and A
2
are two flows on the attack tree, and A
1
is the
upstream flow of A
2
, then Pr o/½A
1
r ! Pr o/½A
2
r. 8r.
The victim will collect all the marked packets from the
routers and reconstruct the attack tree based on the traffic
rates of the different routers. This traceback method heavily
depends on the queuing model, and it requires the traffic
flows to obey specific patterns, e.g., the Poisson distribution.
In [22], the randomizeandlink approach to implement IP
traceback basedon the probabilistic packet marking mechan
ism was proposed. The algorithm targets two aspects: to
reconstruct the marks from the marker efficiently and to
make the PPM more secure against hackers’ pollution. The
idea is to have every router X to fragment its unique message
`
r
(e.g., IPaddress) into several pieces, `
0
. `
1
. . . . `

. At the
same time, the router calculates the checksum C ¼ Cð`
r
Þ,
named as cord. The router assembles the mark as /
i
, and
injects /
i
randomly into the unused IPv4 packet header (say,
` bits, which is 25 bits in the paper: 16 bits of fragmentation
ID, 1 bit of the fragmentation index, and 8 bits of service type,
all of them are used rarely in a common IPv4 packet). /
i
includes three parts: an index of the pieces (log
2
 bits), a large
checksumcordC ¼ Cð`
r
Þ(` Àlog
2
 Àj`
i
jbits), anda piece
of `
i
. i ¼ 0. 1. . . . .  (j`
i
j bits). The cord is quite large, for
example, 14 out of 25 bits, therefore, we can treat the cord as a
random number, which is hard for hackers to predict. The
victim can reconstruct the message efficiently by checking
the cord and the index sequence.
Yaar et al. [40] studied the marking technique to improve
the PPM mechanism. They broke the 16bits marking space
into three parts: 1 bit for distance, 2 bits for fragmentation
index, and a hash fragmentation of 13 bits. By this
modification, the proposed FIT algorithm can traceback
the attack paths with high probability after receiving only
tens of packets. The FIT algorithm also performed well even
in the presence of legacy routers and it is a scalable
algorithm for thousands of attack sources.
Snoeren et al. proposed a method by logging packets or
digests of packets at routers [41], [42]. The packets are
digested using bloom filter at all the routers. Based on these
logged information, the victim can traceback the leaves on
an attack tree. The methods can even traceback a single
packet. However, it also places a significant strain on the
storage capability of intermediate routers.
In [21], two hybrid schemes that combine the packet
marking and packet logging method to traceback the attack
sources are proposed—Distributed LinkList Traceback
(DLLT) and the Probabilistic Pipelined Packet Marking
(PPPM). The first one preserves the marking information at
intermediate routers in a specific way so that it can be
collected using a linklistbased approach. The second
algorithm targets propagating the IP addresses of the
routers that were involved in marking certain packets by
loading them into packets going to the same destination,
414 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 3, MARCH 2011
therefore, preserving these addresses while avoiding the
need for longterm storage at the intermediate routers.
Different from PPM, Dean et al. [26] proposed a
deterministic packet marking strategy for IPtraceback. Every
ingress router writes its own IP address into the outgoing IP
packet header, and there is no more marking for the packet.
They used an algebraic approach, originally developed for
coding theory and learning theory, for encoding traceback
information. Their idea is that for any polynomial )ðrÞ of
degree d in the prime field G1ðjÞ, )ðrÞ can be recovered
given )ðrÞ evaluated at d þ1 unique points.
Belenky and Ansari [25] noticed that the PPM mechan
ism can only solve large flooding attacks, and it is not
applicable for attacks consisted of a small number of
packets. Moreover, PPM is vulnerable if hackers inject
marked packets into the network. Therefore, the paper
proposed a deterministic packet marking method for IP
traceback. The basic idea is that at the initial router for an
information source, the router embeds its IP address into
the packet by chopping the router’s IP into two segments
with 17 bits each (16 bits for half of the IP address and 1 bit
works as index). As a result, the victim can trace which
router the packets came from.
Jin and Yang [27] improved the ID coding of the
deterministic packet marking scheme using redundant
decomposition of the initial router IP address. For an IP
address, they divided them into three redundant segments,
013 bits, 922 bits, and 1831 bits, and then five different
hash functions are applied on the three segments to create
five results. The resulting eight segments are recorded in
the outgoing packets randomly. The victim can reassemble
the source router IP using the packets it has received.
3 SYSTEM MODELING FOR IP TRACEBACK ON
ENTROPY VARIATIONS
3.1 A Sample Network with DDoS Attacks
In order to clearly describe our traceback mechanism, we
use Fig. 1 as a sample network with DDoS attacks to
demonstrate our traceback strategy.
In a DDoS attack scenario, as shown in Fig. 1, the flows
with destination as the victim include legitimate flows, such
as )
3
, and a combination of attack flows and legitimate
flows, such as )
1
and )
2
. Compared with nonattack cases,
the volumes of some flows increase significantly in a very
short time period in DDoS attack cases. Observers at routers
R
1
, R
4
, R
5
, and \ will notice the dramatic changes;
however, the routers who are not in the attack paths, such
as R
2
and R
3
, will not be able to sense the variations.
Therefore, once the victim realizes an ongoing attack, it can
pushback to the LANs, which caused the changes based on
the information of flow entropy variations, and therefore,
we can identify the locations of attackers.
The traceback can be done in a parallel and distributed
fashion in our proposed scheme. In Fig. 1, based on its
knowledge of entropy variations, the victim knows that
attackers are somewhere behind router R
1
, and no attackers
are behind router R
2
. Then the traceback request is
delivered to router R
1
. Similar to the victim, router R
1
knows that there are two groups of attackers, one group is
behind the link to LAN
0
and another group is behind the
link to LAN
1
. Then the traceback requests are further
delivered to the edge routers of LAN
0
and LAN
1
, respec
tively. Based on entropy variation information of router R
3
,
the edge router of LAN
0
can infer that the attackers are
located in the local area network, LAN
0
. Similarly, the edge
router of LAN
1
finds that there are attackers in LAN
1
;
furthermore, there are attackers behind router R
4
. The
traceback request is then further passed to the upstream
routers, until we locate the attackers in LAN
5
.
3.2 System Modeling
In this paper, we categorize the packets that are passing
through a router into flows. A flow is defined by a pair—the
upstream router where the packet came from, and the
destination address of the packet. Entropy is an information
theoretic concept, which is a measure of randomness. We
employ entropy variation in this paper to measure changes of
randomness of flows at a router for a given time interval. We
notice that entropy variation is only one of the possible
metrics. Chen and Hwang used a statistical feature, change
point of flows, to identify the abnormality of DDoS attacks
[6]; however, attackers could cheat this feature by increasing
attack strength slowly. We can also employ other statistic
metrics to measure the randomness, such as standard
variation or highorder moments of flows. We choose
entropy variation rather than others in this paper because
of the low computing workload for entropy variations.
First, let us have a close investigation on the flows of a
router, as shown in Fig. 2. Generally, a router knows its local
topology , e.g., its upstream routers, the local area network
attached to the router, and the downstream routers.
We name the router that we are investigatingnowas a local
router. In the rest of the paper, we use 1 as the set of positive
integers, andRas the set of real numbers. We denote a flowon
a local router by <n
i
. d
,
. t. i. , 2 1. t 2 1, where n
i
is an
upstream router of a local router R
i
, d
,
is the destination
address of a group of packets that are passing through the
local router R
i
, and t is the current time stamp. For example,
the local router R
i
in Fig. 2 has two different incoming
flows—the ones from the upstream routers R
j
and R
k
,
respectively. We name this kind of flows as transit flows.
Another type of incoming flows of the local router R
i
is
YU ET AL.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 415
Fig. 1. A sample network with DDoS attacks.
generated at the local area network; we call these local flows,
and we use 1 to represent the local flows. We name all the
incoming flows as input flows, andall the flows leaving router
R
i
are named as output flows. We denote n
i
. i 2 1 as the
immediate upstream routers of the local router R
i
, and set U
as the set of incoming flows of router R
i
. Therefore, l ¼
fn
i
. i 2 1g þf1g. We use a set 1 ¼ fd
i
. i 2 1g to represent the
destinations of the packets that are passing through the local
router R
i
. If . is the victim router, then . 2 1. Therefore, a
flow at a local router can be defined as follows:
)
i,
ðn
i
. d
,
Þ ¼ f<n
i
. d
,
. tjn
i
2 l. d
,
2 1. i. , 2 1g. ð1Þ
We denote j)
i,
ðn
i
. d
,
. tÞj as the count number of packets of
the flow )
i,
at time t. For a given time interval ÁT, we
define the variation of the number of packets for a given
flow as follows:
`
i,
ðn
i
. d
,
. t þÁTÞ ¼ j)
i,
ðn
i
. d
,
. t þÁTÞj Àj)
i,
ðn
i
. d
,
. tÞj. ð2Þ
If we set j)
i,
ðn
i
. d
,
. tÞj ¼ 0, then `
i,
ðn
i
. d
,
. t þÁTÞ is the
number of packets of flow )
i,
, which went through the local
router during the time interval ÁT. In order to make the
presentationtidy, we use `
i,
ðn
i
. d
,
Þ to represent `
i,
ðn
i
. d
,
. t þ
ÁTÞ in the rest of this paper.
Based on the large number theorem, we have the
probability of each flow at a local router as follows:
j
i,
ðn
i
. d
,
Þ ¼
`
i,
ðn
i
. d
,
Þ
P
1
i¼1
P
1
,¼1
`
i,
ðn
i
. d
,
Þ
. ð3Þ
where j
i,
ðn
i
. d
,
Þ gives the probability of the flow )
i,
over all
the flows on the local router, and
P
1
i¼1
P
1
,¼1
j
i,
ðn
i
. d
,
Þ ¼ 1.
Let 1 be the random variable of the number of flows
during the time interval ÁT on a local router, therefore, we
define the entropy [33] of flows for the local router as follows:
Hð1Þ ¼ À
X
i.,
j
i,
ðn
i
. d
,
Þ log j
i,
ðn
i
. d
,
Þ. ð4Þ
In order to differentiate from the original definition of
entropy, we call H(F) as entropy variation in this paper,
which measures the variations of randomness of flows on a
given local router.
4 TRACEBACK MODEL ANALYSIS
In this section, we first compare the proposed model with
the existing proposals in order to show the advantages of
the proposed mechanism. We then analyze the proposed
entropy variationbased traceback model in detail. The
features of a standalone router are analyzed first, followed
by the investigation on the properties of the whole attack
tree of a DDoS attack.
4.1 Comparison of Traceback Models
In order to show the advantages of the proposed mechan
ism, we compare our proposed method with the represen
tatives of DPM [42] and PPM [22] algorithms. The settings
and network environment for the proposed algorithm are
the same as that of DPM [42] and PPM [22], respectively, in
the comparisons. We take [42] as the representative for
DPM mechanism because it is a typical research instance for
that category. It chooses one source (attacker) and one
destination randomly from a tierone ISP made up of
roughly 70 backbone routers with links ranging from T1 to
OC3. The routers between the source and the destination
perform packet digests using a bloom filter, and the average
packet size is 400 bytes as indicated in the paper. Routers
process more than 20 Mpkts/sec (roughly 2 OC192 links, or
8 OC48s), and there are around 1,000 flows at a router. We
use [22] as an instance for the PPM strategy, which is
treated as the most scalable PPM algorithm, and we
calculate the related storage space and traceback time as
the parameters provided by the paper, such as sampling
probability j ¼ 0.05. Both of these two schemes are used as
the benchmark in [43] as well. The comparisons are listed in
Table 1, and it shows clearly that the proposed mechanism
outperforms the other two mechanisms in terms of
scalability (the size of attack network that we can handle),
storage (the storage space that we need on routers or
victims to conduct IP traceback), traceback time (the overall
time we need from the start time until the end of tracing
process), and the operation workload (the operations on
possible routers or victims).
There are some improvements for DPM by distributing
logging information among routers [29] and PPM by
reducing the probability of sampling [43]. However, there
are no fundamental changes, and the improvements are
limited compared to our proposed methodology.
4.2 Analysis of EntropyVariationBased Traceback
Model
We present our assumptions below in order to make our
analysis simple and clear. We assume the following:
1. There is no extraordinary change of network traffic
in a very short time interval (e.g., at the level of
seconds) for nonDDoS attack cases. It is true that the
network traffic for a router may dynamically change
a lot from peak to offpeak service times. However,
this kind of change lasts for a relatively long time
interval, e.g., at least at the level of minutes. If we
break down these changes into seconds, the change
of traffic is quite smooth in our context.
2. The number of attack packets is at least an order of
magnitude higher than that of normal flows. During
a DDoS flooding attack, the number of attack packets
416 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 3, MARCH 2011
Fig. 2. Traffic flows at a router on an attack path.
increases dramatically, and the attack packets are
generated by thousands of zombies or bots [3], [34].
Consequently, the number of attack packets is much
higher than that of legitimate flows. Therefore, this
assumption is reasonable. Of course, for the non
flooding attacks, this may not hold, and in this paper,
we focus on the majority of the attack tools—flooding
attacks. Furthermore, this is the lower bound that we
can discriminate attack flows from the legitimate
flows (see the experiments in Section 6).
3. Only one DDoS attack is ongoing at a given time. It
could be true that a number of attacks are ongoing
concurrently in the Internet, the attack paths may
overlap as well, but we only consider the one attack
scenario to make it simple and clear.
4. The number of flows for a given router is stable at
both the attack cases and nonattack cases.
For a local router, suppose that the number of flows is `,
and the probability distribution is 1fj
1
. j
2
. . . . . j
`
g. We can
simplify the expression of entropy of (4) as follows:
Hð1Þ ¼ Hðj
1
. j
2
. . . . . j
`
Þ ¼ À
X
`
i¼1
j
i
log j
i
. ð5Þ
Based on the characteristics of the entropy function [33], we
obtain the upper bound and lower bound of H(F) as follows:
0 Hð1Þ log `. ð6Þ
We reach the lower bound when j
i
¼ 1. 1 i `,
j
/
¼ 0. / ¼ 1. 2. . . . . `, and / 6¼ i; we have the upper bound
when j
1
¼ j
2
¼ Á Á Á ¼ 1
`
. Based on our definition of the
random variable of flows, we have the following special
cases to reach the lower bound and the upper bound,
respectively: when there is only one flow alive during the
sampling time interval, and there are no packets going
through the local router for the other flows, Hð1Þ ¼ 0; when
the number of packets for each flow is the same among all
the flows at a local router, then we have Hð1Þ ¼ log `.
We divide our timeline into two segments for the
following investigation: before DDoS attack and under
DDoS attack. The local router’s entropy variation is, there
fore, denoted by H
À
ð1Þ and H
þ
ð1Þ, respectively. Let c be a
reasonable threshold, and C be the mean of H
À
ð1Þ, and the
standard variation of H
À
ð1Þ be o. We know that H
À
ð1Þ is
quite stable for a long time period. We justify our threshold c
to make the following equation holds with high probability:
jH
À
ð1Þ ÀCj c. ð7Þ
In order to make the mean C and standard variation c
adaptive to the network traffic variations, let
C½t ¼
X
i
i¼1
c
i
Á C½t Ài.
X
i
i¼1
c
i
¼ 1. ð8Þ
o½t ¼
X
i
i¼1
u
i
Á o½t Ài.
X
i
i¼1
u
i
¼ 1. ð9Þ
where C[t] represents the current mean, C[t Ài] is the mean
of the ith sample instance in the near past, and c
i
. i ¼
1. 2. . . . . i are the weights for the n past samples, respec
tively. In order to reflect the nearest changes, let
c
i
c
,
)oi i < ,. i. , 2 1. The values of c
i
ði ¼ 1. 2. . . . . iÞ
are fixed and could be decided by the experiments of
nonattack cases. The same for o½t, o½t Ài and u
i
. i ¼
1. 2. . . . . i, respectively. The evolutions will be suspended
when a DDoS attack is ongoing.
If an attack flow is going through a local router, then the
following equation holds with high probability:
jH
þ
ð1Þ ÀCj c. ð10Þ
Moreover, we know that the reason behind this is that the
packet numbers of flows <n
i
. .. n
i
2 l increase signifi
cantly. In order to find the immediate sources of the attack
flows from the upstream routers, we sort the flows
<n
i
. .. n
i
2 l in terms of number of packets of a given
attack flow, `
i.
ðn
i
. .Þ. We calculate the entropy variation
YU ET AL.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 417
TABLE 1
The Comparison of the Entropy Variation Mechanisms against DPM and PPM
(with the Same Settings and Network Environment, Respectively)
reiteratively by taking the suspicious flows out starting with
the flow which has the greatest packet number, until the
difference between the entropy of the remaining flows and
the mean is less than or equal to the threshold, c. In other
words, the process stops when the following equation holds:
jH
þ
ð1n maxðf<n
i
. .gÞ ÀCj c. ð11Þ
where 1n maxðf<n
i
. .g means taking the maximum
element from set f<n
i
. .g from set 1. Then the subset
fn
i
g l, which includes the upstream routers that we have
taken out before (11) holds, is the set of suspicious
immediate sources of the DDoS attack. Then the traceback
requests are further forwarded to the elements of set fn
i
g,
respectively. The traceback processing terminates under the
following conditions:
1 ¼ maxf<n
i
. .g.
jH
þ
ð1n1Þ ÀCj c.
&
ð12Þ
Then 1, the flows of the local area network, is the attack
source of that branch on the attack tree.
The threshold c is important for us to make the decision,
and it also introduces possible false positive and false
negative. Suppose that c is the true value of the threshold,
and we have 0 c
1
c c
2
< 1. We denote the prob
ability density function as a continuous function )ðrÞ, then
the probability of false positive and false negative can be
expressed as follows:
1
11
ðr. c. c
1
Þ ¼
Z
Àc
1
Àc
)ðrÞdr þ
Z
c
c
1
)ðrÞdr. ð13Þ
1
1`
ðr. c. c
2
Þ ¼
Z
Àc
Àc
2
)ðrÞdr þ
Z
c
2
c
)ðrÞdr. ð14Þ
where )ðrÞ could be Gaussian distribution in practice.
Equation (13) gives the probability of false positive when
the chosen threshold c
1
is less than the true value c; while
(14) gives the probability of false negative when the chosen
threshold c
2
is greater than the true value c.
For a nonattack case, the number of packets of each flow
is stable as we assumed; therefore, the entropy variation
Hð1Þ is stable with minor fluctuations, namely (7) holds
with high probability. Our traceback procedure starts when
a DDoS attack alarm has been raised. We now investigate
the features of the entropy variation when a DDoS attack is
ongoing.
Lemma 1. Compared with the nonattack scenario, the upper
bound of entropy variation drops when DDoS attack flows are
passing through a local router.
Proof. Based on (6), we know that entropy variation reaches
the maximum, logN, whenthe distributionis even, namely
j
1
¼ j
2
¼ Á Á Á ¼ 1
`
, and it reaches the minimum, 0, when
the distribution is extremely uneven, say, j
i
¼ 1. 1
i `, j
/
¼ 0. / ¼ 1. 2. . . . . `, and / 6¼ i. We also know
that entropy is a monotonic function [33]. Therefore, it is
clear that when a DDoS attack occurs, the distribution
moves toward the extreme uneven point; as a result, the
upper bound of the entropy variation drops. tu
Theorem 1. Compared with the nonattack situation, the entropy
variation of a local router drops dramatically when attack
flows are passing through the local router, in other words,
H
À
ð1Þ H
þ
ð1Þ.
Proof. Let )ðrÞ ¼ r log r. r ! 0. We know that f(x) is a
monotonically increasing convex function. Therefore,
À)ðrÞ ¼ Àr log r. r ! 0, is a monotonically decreasing
concave function. Let X be the random variable for the
flow distributions. Applying Jensen’s inequality [33] to
)ðAÞ, we have 1)ðAÞ ! )ð1AÞ, and further À1)ðAÞ
À)ð1AÞ holds. tu
Let 1ðAÞ ¼ fj
1
. j
2
. . . . . j
`
g be the distributionof flows at a
local router, 1ðA
0
Þ ¼ fj
0
1
. j
0
2
. . . . . j
0
`
g be the distribution for
the nonattack case, and 1ðA
1
Þ ¼ fj
1
1
. j
1
2
. . . . . j
1
`
g be the
distribution when attack flows are passing through the local
router. As mentioned at the beginning of this section, we
suppose that the variation of the nonattack flows remain at
the same level. Let j
i
. 1 i ` represent the instance of the
attack flow, then j
0
i
<< j
1
i
. We further have 1A
0
<< 1A
1
and
À)ð1A
0
Þ À)ð1A
1
Þ. Therefore, À1)ðA
0
Þ À1)ðA
1
Þ,
specifically À
P
`
i¼1
j
0
i
log j
0
i
À
P
`
i¼1
j
1
i
log j
1
i
. Hence, the
result HðA
0
Þ HðA
1
Þ, in other words, H
À
ð1Þ H
þ
ð1Þ.
So far, we have analyzed the characteristics of a local
router with and without DDoS attacks. It is also important
to have a deep understanding of the changing patterns of
entropy variation among routers on an attack tree. We use
the network in Fig. 3 as a sample for this study.
Lemma 2. For a local router on an attack path, the entropy
variation of the output flows is not greater than the summation
of the entropy variation of the incoming flows.
Proof. For a router in Fig. 3, we assume that there are i
incoming flows, )
1
. )
2
. . . . . )
i
(i upstream routers pump
packets to one router). For any incoming flow )
i
, it has i
i
subflows, )
1
i
. )
2
i
. . . . . )
i
i
i
(flows share one upstream router
with different destinations), with the probability dis
tribution of j
1
i
. j
2
i
. . . . . j
i
i
i
, respectively. The entropy
variation of flow )
i
is given by the following equation:
Hð)
i
Þ ¼ H
À
j
1
i
. j
2
i
. . . . . j
i
i
i
Á
. ð15Þ
tu
Without loss of generality, let )
1
i
be the attack flow. Then
the output flow entropy variation is Hð
P
i
i¼1
)
i
Þ. Based on
418 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 3, MARCH 2011
Fig. 3. A sample attack tree near the victim.
Jensen’s inequality, 1) ! )ð1AÞ when ) is convex, and the
fact that H(p) is convex implies that
X
i
i¼1
Hð)
i
Þ ! H
X
i
i¼1
)
i
!
. ð16Þ
Theorem 2 (Entropy variation convergence of attack
flows). The entropy variation drops when a local router is
closer to the victim, and vice versa.
This theorem can be easily concluded from lemma 2 in
an attack tree.
With the progress of the traceback procedure, we have
more and more information about the ongoing attack. We
can, therefore, estimate the number of attackers, which are
going to be traced and the distances between attackers and
the current local router. We use Fig. 4 as a sample attack
branch for this investigation.
In Fig. 4, the traceback request has been submitted to
router R
4
, and from the diagram, we know that four
attackers, A
1
, A
2
, A
3
, and A
4
, are to be traced, and the length
of the most far away zombies is three hops away.
Unfortunately, this knowledge is not available to our
traceback algorithm. However, we can estimate the number
of zombies that are located behind router R
4
, and the
maximum of the length to the most far away zombie(s) with
the knowledge of the attack that we have collected so far on
the way to router R
4
.
Theorem 3 (Estimation on traceback distance and number
of zombies). Based on the partial information of the attack
that the traceback algorithm has accumulated, we can estimate
the number of zombies to be traced and the maximum length to
the most far away zombie(s).
Suppose that the zombies are distributed evenly, the
attack tree is a dbranch tree, and we have knowledge of /
attack packet rates, o
1
. o
2
. . . . . o
/
when we reach the current
router, say, router R
4
in Fig. 4. Moreover, we also know the
output attack packet rate of the current local router, `. We
use i to denote the number of zombies to be traced.
We use j
i
. 1 i / to represent the distribution of
t
i
. 1 i /, then the mean of o
1
. o
2
. . . . . o
/
is close enough
to the mean of all zombies in the whole attack tree if / is
sufficient enough, in this case, o ¼
P
/
i¼1
j
i
Á o
i
. Therefore, in
terms of statistics, we can infer the number of attackers to be
traced in the branch as (17)
i %
`
o
¼
`
P
/
i¼1
j
i
Á o
i
. ð17Þ
For a dbranch tree (d ¼ 2 in Fig. 4), we assume that the
distance from the current node (the local router) to the i
leaves (zombies) is given as 
1
. 
2
. . . . . 
i
, respectively. From
the Kraft inequality [33], the following equation holds:
X
i
i¼1
d
À
i
1. ð18Þ
Let 
max
¼ maxð
1
. 
2
. . . . . 
i
Þ. Based on (17) and inequality
(18), we obtain

max
!
log i
log d
%
log ` Àlog
P
/
i¼1
j
i
Á o
i
log d
. ð19Þ
From (17) and inequality (19), we can estimate the number
of zombies to be traced and the maximum length to reach
the most far away zombie(s), respectively.
Theorem 4 (Termination condition for traceback). There are
no attackers at the upstream routers if a local router’s entropy
variation is reasonable, namely jH
þ
ð1Þ ÀCj c holds with
high probability.
We know that jH
À
ð1Þ ÀCj c holds with high prob
ability for a local router before a DDoS attack occurs. When
a DDoS attack is ongoing, however, there are no DDoS
attack packets passing through the local router. Then
H
À
ð1Þ % H
þ
ð1Þ, and therefore, jH
þ
ð1Þ ÀCj c holds with
high probability.
Theorem 4 is quite important for the traceback algorithm
to make a decision on when to terminate the pushback
procedure. Of course, if the attack flows are similar to the
legitimate flows in terms of packet rate, say, within 10 times
range, the entropy variation cannot discriminate them.
However, we are close enough to the zombies in this case.
Further, the total time for traceback, the period from
starting traceback procedure to zombies are identified, is a
critical parameter for any traceback algorithms. There are
two reasons why this parameter is important. Moore et al.
[34] indicated that the average attack duration is around 5
10 minutes for typical DDoS attacks, therefore, an effective
traceback procedure has to be completed within this time
limitation, say, 5 minutes; another reason is that we would
be able to reduce the damage caused by DDoS attack if we
could identify the zombies earlier, and therefore, block
them earlier.
Suppose that the attack network is a dbranch tree, the
height of the tree is i, and there are totally ` zombies.
Based on [34], the maximum hops between two end points
at the Internet are 31. In [23], the experiments were
conducted with the maximum hops as 23. However, we
take 31 hops as the maximum hops between two end points
on the Internet. Suppose that the zombies are distributed
evenly in the attack tree. Then,
X
i
i¼0
d
i
`. 1 i 31. ð20Þ
Let the normal delay between two routers in nonattack
scenario be t, which is at a millisecond level usually, and the
YU ET AL.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 419
Fig. 4. A sample traceback branch in an attack tree.
delay on a link be proportional to the number of packets
passing through the link. Then, the traceback time can be
calculated as follows:
T ¼ t Â
X
i
i¼0
ð31 ÀiÞ Âd
i
. 1 i 30. ð21Þ
Combining (20) and (21), we can calculate the total
traceback time to the most far away zombies using the
proposed traceback method. The numerical results will be
shown in Section 6.
5 ALGORITHMS FOR THE IP TRACEBACK MODEL
In this section, we design the related algorithms according
to our previous modeling and analysis. There are two
algorithms in the proposed traceback suite, the local flow
monitoring algorithm and the IP traceback algorithm.
The local flow monitoring algorithm is running at the
nonattack period, accumulating information from normal
network flows, and progressing the mean and the standard
variation of flows. The progressing suspends when a DDoS
attack is ongoing. The local flow monitoring algorithm is
shown as Fig. 5.
Once a DDoS attack has been confirmed by any of the
existing DDoS detection algorithms, then the victim starts
the IP traceback algorithm, which is shown as Fig. 6.
The IP traceback algorithm is installed at routers. It is
initiated by the victim, and at the upstream routers, it is
triggered by the IP traceback requests from the victim or the
downstream routers which are on the attack path.
The proposed algorithms are independent from the
current routing software, they can work as independent
modules at routers. As a result, we do not need to change
the current routing software.
6 PERFORMANCE EVALUATIONS
In this section, we evaluate the effectiveness and efficiency
of the proposed entropy variation based on IP traceback
mechanism. Our first task is to show that the flow entropy
variation is stable for nonattack cases, and find out the
fluctuations for normal situations; the second task is to
demonstrate the relationship between the drop of flow
entropy variation and the increase of attack strength, so that
we can identify the threshold for identifying attack sources;
we further simulate the whole attack tree for traceback, and
evaluate the total traceback time.
As mentioned in Section 2, the network security commu
nity lacks suitable data sets of real largescale DDoS attacks,
and it is even harder to find suitable data sets for our
algorithms. Consequently, in order to evaluate our scheme,
we have carefully conducted extensive simulations and real
case observations. The simulation settings are arranged
according to Fig. 1. We set the attack tree as a binary tree or
threebranch tree, respectively, and zombies are distributed
in the attack tree uniformly. We note that, our entropy
variation traceback mechanism is independent from the
topology of attack network and it is also independent from
the network topology of victims. We use the essential DDoS
attack parameters as presented in [34] in our simulations,
such as, 510 minutes attack duration, 10,000 packets per
second of attack flows. The performance evaluation in
cluded two parts—the first one focussed on the entropy
variation monitoring at a local router; and the second part
was to demonstrate the effectiveness of DDoS attacker
traceback and the overall traceback time.
420 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 3, MARCH 2011
Fig. 5. The algorithm for local flow traffic monitoring.
Fig. 6. The IP traceback algorithm on a router.
First, we observe the stability of entropy variations at a
local router during nonattack periods. We examine two
kinds of flows, the Poisson distribution flows and the
Normal distribution flows. The Poisson distribution is
treated as the pattern of Internet traffic by most researchers,
and the combination of Normal distributions with different
parameters can be used to approximate most distributions.
For confidence level in the simulations, we take c ¼ 0.05, so
that the confidence level is 1 Àc ¼ 95%, and the corre
sponding confidence interval is ½À0.196. þ0.196. We first
investigated the impact on the entropy variation against the
number of flows, and the results are shown in Fig. 7.
Fig. 7 indicates that the entropy variation increases
smoothly against the increase of the number of flows which
are passing through the local router. It also shows the
similarity of the entropy variation patterns for the two
distributions, and the difference of the variation entropies is
quite limited.
In order to confirmthis in reality, we conducted a real case
studybycollectingnetworkflowinformationfroma gateway
server of our campus [44] over one week, when there is no
DDoS attack. We examine the real data set to observe the
patterns of flow entropy variation against number of flows
for each day in that week. There were thousands of flows per
day from the collected data set. We sorted the flows in
different ways: by traffic volume per connection and by the
number of connections for a given time interval, and
considered the top 1,000 flows as input for the experiments.
The results are listed in Figs. 8 and 9, respectively.
In Fig. 8, we increase the number of flows (the flows are
sorted by traffic volume per connection) and check the
variation of flow entropy variation on the gateway server.
In Fig. 9, we sort the flows by the number of connections for
different clients. We notice that the entropy variation is
steady and smooth as we found in the simulation.
We therefore can conclude that the entropy variation is
stable; moreover, it is independent from specific distribu
tion patterns as shown in Fig. 7. This is one of the
foundations for our proposed algorithms.
Furthermore, it is important to know the stability of the
entropy variation against the fluctuations of flows in
nonattack cases. We conducted two simulations for this
purpose: we make the mean of flows as 100 packets per
time unit, and the standard variations (std) of the flows are
25 and 50, respectively. We observe the changes of the
entropy variation against the number of flows. The results
are shown in Fig. 10. It indicates that the standard variation
of the entropy variation is quite stable (the fluctuation is
around 13 percent), even when the fluctuations of the flows
are quite big, Æ25% and Æ50%, respectively. Moreover, the
standard variation of entropy variation decreases when the
number of flows increases. For example, for a router with
around 500 flows, the variation is about 0.015. As pre
viously presented by (13) and (14), if we set our discrimina
tion threshold c to be less than 0.015, then we will create
false positive; while when we set c to be greater than 0.015,
we will create false negative.
Based on Figs. 7 and 10, we can further conclude that the
entropy variation is stable against huge flow fluctuations
and number of flows in nonattack cases. Therefore, we can
use it as a benchmark to discriminate DDoS attack flows.
We investigate the changes of entropy variation when a
DDoS attack is ongoing. We use the term attack strength to
present the packet rate of attacks. We fix the number of
YU ET AL.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 421
Fig. 7. The entropy variation against number of flows for Poisson and
normal distributions.
Fig. 8. Entropy variation against number of flows (sorted by traffic
volumn per connection).
Fig. 9. Entropy variation against number of flows (sorted by the number
of connections).
flows for a local router as 1,000, and among them, there is
one attack flow. We keep the packet rates of the nonattack
flows at the same level, and increase the packet rate of the
attack flow, from 1 to 600 times of the nonattack flow packet
rate. The results are shown in Fig. 11.
Fig. 11 indicates clearly that the entropy variation drops
almost linearly with the increase of attack strength.
Furthermore, in order to have a direct presentation about
the relationship between the decrease of entropy variation
and the increase of attack strength, we transformed the
results of Fig. 11 into Fig. 12.
In Fig. 10, we have learned that the standard variation of
entropy variation of nonattack flows is about 0.015, and
Fig. 12 indicates that the decrease of entropy variation is
0.02 when the attack strength is seven times of the normal
flow, in other words, we can only discriminate DDoS attack
flows when its attack strength is about seven times of the
normal flow; and we cannot further our traceback proce
dure once the attack strength is not strong, say, less than
seven times of the legitimate flows.
The attach strength is the critical element for our
traceback mechanism, and our strategy is effective once
the attack strength is obvious from legitimate flows, for
example, at least seven times stronger. Therefore, the
proposed traceback method can deal with the majority of
DDoS attacks, e.g., packet flooding attacks. We have to
point out that our method cannot traceback to zombies
whose attack strength is less than seven times the legitimate
flows, as this may cause false negative. Another accuracy
issue for our method is the false positive, for example, flash
crowds will create false positive if we start the traceback
procedure at the victim site.
We now consider the entire attack tree and investigate the
convergence of entropy variation when a DDoS attack is
ongoing. Assume that there are 1,024 zombies in the
following simulations, and they are distributed uniformly
in terms of hops from the victim. In these simulations, we
ignore the hops with no zombies, and the most far away
zombies are 10 hops away fromthe victim, namely, each hop
has around 100 zombies. We examine the convergence of the
entropy variation with different attack tree structures, e.g.,
twobranch tree and threebranch tree. For each simulation,
we examine three cases, 100 flows, 500 flows, and1,000 flows,
respectively. The results for the binary tree and threebranch
tree cases are shown in Figs. 13 and 14, respectively.
From Figs. 13 and 14, we find that the entropy variation
converges when the attack flows are aggregated to the
victim, namely, the entropy variation of a router decreases
when the router is getting closer to the victim. For example,
the entropy variation at 10 hops away from the victim is
much higher than that of router which is 2 hops away from
the victim. In general, the variation entropy decreases when
the attack flows get closer to the victim. This confirms the
conclusion of Theorem 2 of Section 4. Moreover, the entropy
variation converges faster in the threebranch attack tree
compared with that of the binary attack tree because the
attack strength is higher and concentrated in the first case.
These two simulations also demonstrate that the change of
entropy variation is related to the attack strength: higher
attack packet rates result in greater drop of entropy
variation, in other words, it is easier for our proposed IP
traceback strategy to complete its tasks.
Based on these two convergence simulations, we can
conclude that if a node in the attack tree possesses more
422 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 3, MARCH 2011
Fig. 10. The standard variation of entropy variation against number of
flows with different standard variations.
Fig. 12. The relationship between the decrease of the entropy variation
and attack strength.
Fig. 11. The changes of entropy variation against strength of attacks.
child nodes, then the entropy variation converges faster. As
a result, it is easier for us to conduct the traceback procedure.
In order to estimate the overall traceback time, we
assume the same number of zombies (` ¼ 1.024) and
aforementioned parameters. The zombies are evenly dis
tributed in 10 groups in terms of hops away from the
victim. Each of the groups can be anywhere from the victim:
from 1 hop away to 31 hops away. In the worst case, the
zombies are located evenly at the far end on the attack tree,
in other words, the 10 groups of zombies are located from
21 to 30 hops away from the victim. We simulated each case
for the binary attack tree and the threebranch attack tree,
respectively, and the results are shown in Fig. 15.
Fig. 15 shows that the total traceback time is about
25 seconds in the worst case (the most far away zombies are
30 hops away fromthe victim), andit is less than 20 seconds if
the most far away zombies are 23 hops away fromthe victim.
In [23], it was reported that their traceback time is about
20 seconds for a single attack source with maximum 23 hops
away from the victim. Based on [23], if the number of hops
between two Internet ends is 15, then the general traceback
time is around 10 seconds for the binary attack tree, and less
than 7 seconds for threebranch attack tree for our traceback
method. This simulation demonstrates that our method is
better than the previous traceback method in terms of overall
traceback time. Moreover, it is shown in [34] that the average
durationfor DDoS attacks is 510 minutes, so that our method
can traceback to the most far away zombie effectively before
it disappears from the attacking scene.
7 SUMMARY AND FUTURE WORK
In this paper, we proposed an effective and efficient IP
traceback scheme against DDoS attacks based on entropy
variations. It is a fundamentally different traceback mechan
ism from the currently adopted packet marking strategies.
Many of the available work on IP traceback depend on
packet marking, either probabilistic packet marking or
deterministic packet marking. Because of the vulnerability
of the Internet, the packet marking mechanism suffers a
number of serious drawbacks: lack of scalability; vulner
ability to packet pollution from hackers and extraordinary
challenge on storage space at victims or intermediate
routers. On the other hand, the proposed method needs no
marking on packets, and therefore, avoids the inherent
shortcomings of packet marking mechanisms. It employs
the features that are out of the control of hackers to conduct
IP traceback. We observe and store shortterm information
of flow entropy variations at routers. Once a DDoS attack
has been identified by the victim via detection algorithms,
the victimthen initiates the pushback tracing procedure. The
traceback algorithm first identifies its upstream routers
where the attack flows came from, and then submits the
traceback requests to the related upstream routers. This
procedure continues until the most far away zombies are
identified or when it reaches the discrimination limitation of
DDoS attack flows. Extensive experiments and simulations
have been conducted, and the results demonstrate that the
proposed mechanism works very well in terms of effective
ness and efficiency. Compared with previous works, the
proposed strategy can traceback fast in larger scale attack
networks. It can traceback to the most far away zombies
YU ET AL.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 423
Fig. 14. The convergence of the entropy variation on a threebranch
attack tree.
Fig. 15. The traceback time for DDoS attacks.
Fig. 13. The convergence of the entropy variation on a binary attack
tree.
within 25 seconds in the worst case under the condition of
thousands of zombies. Moreover, the proposed model can
work as an independent software module with current
routing software. This makes it a feasible and easy to be
implemented solution for the current Internet.
Future work could be carried out in the following
promising directions:
1. The metric for DDoS attack flows could be further
explored. The proposed method deals with the
packet flooding type of attacks perfectly. However,
for the attacks with small number attack packet
rates, e.g., if the attack strength is less than seven
times of the strength of nonattack flows, then the
current metric cannot discriminate it. Therefore, a
metric of finer granularity is required to deal with
such situations.
2. Location estimation of attackers with partial infor
mation. When the attack strength is less than seven
times of the normal flow packet rate, the proposed
method cannot succeed at the moment. However,
we can detect the attack with the information that we
have accumulated so far using traditional methods,
e.g., the hidden Markov chain model, or recently
developed tools, e.g., the network tomography. We
have a strong interest to explore this for the whole
attack diagram.
3. Differentiation of the DDoS attacks and flash crowds.
In this paper, we did not consider this issue—the
proposed method may treat flash crowd as a DDoS
attack, and therefore, resulting in false positive
alarms. We have a high interest to explore this issue.
ACKNOWLEDGMENTS
The authors would like to express their thanks to the
anonymous reviews for their insightful comments and
suggestions. The work was supported in part by grants
from The Australia Research Council (Project numbers
DP0773264 and DP1095498), Research Grants Council of the
Hong Kong SAR, China, General Research Fund (GRF) (No.
CityU 114609), and CityU Applied R & D Funding (ARD
(Ctr) No. 9681001).
REFERENCES
[1] “IP FlowBased Technology,” ArborNetworks, http://www.
arbornetworks.com, 2010.
[2] C. Patrikakis, M. Masikos, and O. Zouraraki, “Distributed Denial
of Service Attacks,” The Internet Protocol J., vol. 7, no. 4, pp. 1335,
2004.
[3] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of Network
Based Defense Mechanisms Countering the DoS and DDoS
Problems,” ACM Computing Surveys, vol. 39, no. 1, p. 3, 2007.
[4] Y. Kim et al., “PacketScore: A StatisticsBased Packet Filtering
Scheme against Distributed DenialofService Attacks,” IEEE
Trans. Dependable and Secure Computing, vol. 3, no. 2, pp. 141155,
Apr.June 2006.
[5] H. Wang, C. Jin, and K.G. Shin, “Defense against Spoofed IP
Traffic Using HopCount Filtering,” IEEE/ACM Trans. Networking,
vol. 15, no. 1, pp. 4053, Feb. 2007.
[6] Y. Chen and K. Hwang, “Collaborative Detection and Filtering of
Shrew DDoS Attacks Using Spectral Analysis,” J. Parallel and
Distributed Computing, vol. 66, pp. 11371151, 2006.
[7] K. Lu et al., “Robust and Efficient Detection of DDoS Attacks for
LargeScale Internet,” Computer Networks, vol. 51, no. 9, pp. 5036
5056, 2007.
[8] R.R. Kompella, S. Singh, and G. Varghese, “On Scalable Attack
Detection in the Network,” IEEE/ACM Trans. Networking, vol. 15,
no. 1, pp. 1425, Feb. 2007.
[9] P.E. Ayres et al., “ALPi: A DDoS Defense System for HighSpeed
Networks,” IEEE J. Selected Areas Comm., vol. 24, no. 10, pp. 1864
1876, Oct. 2006.
[10] R. Chen, J. Park, and R. Marchany, “A DivideandConquer
Strategy for Thwarting Distributed DenialofService Attacks,”
IEEE Trans. Parallel and Distributed Systems, vol. 18, no. 5, pp. 577
588, May 2007.
[11] A. Yaar, A. Perrig, and D. Song, “StackPi: New Packet Marking
and Filtering Mechanisms for DDoS and IP Spoofing Defense,”
IEEE J. Selected Areas Comm., vol. 24, no. 10, pp. 18531863, Oct.
2006.
[12] A. BremlerBar and H. Levy, “Spoofing Prevention Method,” Proc.
IEEE INFOCOM, pp. 536 547, 2005.
[13] J. Xu and W. Lee, “Sustaining Availability of Web Services under
Distributed Denial of Services Attacks,” IEEE Trans. Computers,
vol. 52, no. 2, pp. 195208, Feb. 2003.
[14] W. Feng, E. Kaiser, and A. Luu, “Design and Implementation of
Network Puzzles,” Proc. IEEE INFOCOM, pp. 23722382, 2005.
[15] X. Yang, D. Wetherall, and T. Anderson, “A DoSLimiting
Network Architecture,” Proc. ACM SIGCOMM, pp. 241252, 2005.
[16] Z. Duan, X. Yuan, and J. Chandrashekar, “Controlling IP Spoofing
through Interdomain Packet Filters,” IEEE Trans. Dependable and
Secure Computing, vol. 5, no. 1, pp. 2236, Jan.Mar. 2007.
[17] F. Soldo, A. Markopoulou, and K. Argyraki, “Optimal Filtering of
Source Address Prefixes: Models and Algorithms,” Proc. IEEE
INFOCOM, 2009.
[18] A. ElAtawy et al., “Adaptive Early Packet Filtering for Protecting
Firewalls against DoS Attacks,” Proc. IEEE INFOCOM, 2009.
[19] T. Baba and S. Matsuda, “Tracing Network Attacks to Their
Sources,” IEEE Internet Computing, vol. 6, no. 2, pp. 2026, Mar.
2002.
[20] A. Belenky and N. Ansari, “On IP Traceback,” IEEE Comm.
Magazine, pp. 142153, July 2003.
[21] B. AlDuwairi and M. Govindarasu, “Novel Hybrid Schemes
Employing Packet Marking and Logging for IP Traceback,” IEEE
Trans. Parallel and Distributed Systems, vol. 17, no. 5, pp. 403418,
May 2006.
[22] M.T. Goodrich, “Probabilistic Packet Marking for LargeScale IP
Traceback,” IEEE/ACM Trans. Networking, vol. 16, no. 1, pp. 1524,
Feb. 2008.
[23] T.K.T. Law, J.C.S. Lui, and D.K.Y. Yau, “You Can Run, But You
Can’t Hide: An Effective Statistical Methodology to Traceback
DDoS Attackers,” IEEE Trans. Parallel and Distributed Systems,
vol. 16, no. 9, pp. 799813, Sept. 2005.
[24] S. Savage, “Network Support for IP Traceback,” IEEE/ACM Trans.
Networking, vol. 9, no. 3, pp. 226237, June 2001.
[25] A. Belenky and N. Ansari, “IP Traceback with Deterministic
Packet Marking,” IEEE Comm. Letters, vol. 7, no. 4, pp. 162164,
Apr. 2003.
[26] D. Dean, M. Franlin, and A. Stubblefield, “An Algebraic Approach
to IP Traceback,” ACM Trans. Information and System Security,
vol. 5, no. 2, pp. 119137, May 2006.
[27] G. Jin and J. Yang, “Deterministic Packet Marking Based on
Redundant Decomposition for IP Traceback,” IEEE Comm. Letters,
vol. 10, no. 3, pp. 204206, Mar. 2006.
[28] Y. Xiang, W. Zhou, and M. Guo, “Flexible Deterministic Packet
Marking: An IP Traceback System to Find the Real Source of
Attacks,” IEEE Trans. Parallel and Distributed Systems, vol. 20, no. 4,
pp. 567580, Apr. 2009.
[29] C. Gong and K. Sarac, “A More Practical Approach for Single
Packet IP Traceback Using Packet Logging and Marking,” IEEE
Trans. Parallel and Distributed Systems, vol. 19, no. 10, pp. 1310
1324, Oct. 2008.
[30] K. Park and H. Lee, “On the Effectiveness of Probabilistic Packet
Marking for IP Traceback under Denial of Service Attack,” Proc.
IEEE INFOCOM, 2001.
[31] S. Yu and W. Zhou, “EntropyBased Collaborative Detection of
DDoS Attacks on Community Networks,” Proc. Sixth Ann. IEEE
Int’l Conf. Pervasive Computing and Comm., pp. 566571, 2008.
424 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 3, MARCH 2011
[32] S. Yu, W. Zhou, and R. Doss, “Information Theory Based
Detection against Network Behavior Mimicking DDoS Attacks,”
IEEE Comm. Letters, vol. 12, no. 4, pp. 318321, Apr. 2008.
[33] T.M. Cover and J.A. Thomas, Elements of Information Theory. Wiley
Interscience, 2007.
[34] D. Moore et al., “Inferring Internet DenialofService Activity,”
ACM Trans. Computer Systems, vol. 24, no. 2, pp. 115139, May
2006.
[35] “Lincoln Laboratory Scenario (DDoS) 1.0,” MIT, http://
www.ll.mit.edu/mission/communications/ist/corpora/ideval/
data/2000/LLS_DDOS_1.0.html, 2010.
[36] J. Mirkovic et al., “Accurately Measuring Denial of Service in
Simulation and Testbed Experiments,” IEEE Trans. Dependable and
Secure Computing, vol. 6, no. 2, pp. 8195, Apr.June 2009.
[37] J. Mirkovic et al., “Testing a Collabotative DDoS Defense in a
Red/Blue Team Exercise,” IEEE Trans. Computers, vol. 57, no. 8,
pp. 10981112, Aug. 2008.
[38] H. Aljifri, “IP Traceback: A New DenialofService Deterrent?”
IEEE Security & Privacy, vol. 1, no. 3, pp. 2431, May/June 2003.
[39] Z. Gao and N. Ansari, “Tracing Cyber Attacks from the Practical
Perspective,” IEEE Comm. Letters, vol. 43, no. 5, pp. 123131, May
2005.
[40] A. Yaar, A. Perrig, and D. Song, “FIT: Fast Internet Traceback,”
Proc. IEEE INFOCOM, pp. 13951406, 2005.
[41] A.C. Snoeren et al., “HashBased IP Traceback,” Proc. ACM
SIGCOMM, 2001.
[42] A.C. Snoeren et al., “SinglePacket IP Traceback,” IEEE/ACM
Trans. Networking, vol. 10, no. 6, pp. 721734, Dec. 2002.
[43] M. Sung et al., “LargeScale IP Traceback in HighSpeed Internet:
Practical Techniques and InformationTheoretic Foundation,”
IEEE/ACM Trans. Networking, vol. 16, no. 6, pp. 12531266, Dec.
2008.
[44] http://www.deakin.edu.au/noc, 2010.
Shui Yu (M’05) received the BEng and MEng
degrees from the University of Electronic
Science and Technology of China in 1993 and
1999, respectively, and the PhD degree from
Deakin University, Victoria, Australia, in 2004.
He is currently a lecturer in the School of
Information Technology, Deakin University,
Melbourne, Australia. His research interests
include network security, network theory, and
information theory. He is a member of the IEEE.
Wanlei Zhou received the BEng and MEng
degrees from Harbin Institute of Technology,
China, in 1982 and 1984, respectively; the PhD
degree from the Australian National University,
Canberra, in 1991; and the DSc degree from
Deakin University, Victoria, Australia, in 2002.
He is currently the chair professor of information
technology and the head of School of Informa
tion Technology, Faculty of Science and Tech
nology, Deakin University, Melbourne, Australia.
His research interests include distributed and parallel systems, network
security, mobile computing, bioinformatics, 8and elearning. He has
published more than 200 papers in refereed international journals and
refereed international conferences proceedings. Since 1997, he has
been involved in more than 50 international conferences as general
chair, steering committee chair, PC chair, session chair, publication
chair, and PC member. He is a senior member of the IEEE.
Robin Doss received the bachelor’s degree in
electronics and communication engineering from
the University of Madras, India, in 1999, and the
master’s degree in engineering and the PhD
degree from the Royal Melbourne Institute of
Technology (RMIT), Australia, in 2000 and 2004,
respectively. He has held professional appoint
ments with Ericsson Australia, RMIT University,
and IBM Research, Switzerland. He joined
Deakin University, Melbourne, Australia, in
2003, and currently, is a lecturer in computing. His current research
interests include data management and routing in mobile ad hoc and
wireless sensor networks, network security, and next generation
networks. He is a member of the IEEE.
Weijia Jia (SM’08) received the BSc and MSc
degrees from the Central South University,
Changsha, China, and the MASc and PhD
degrees from the Polytechnic Faculty of Mons,
Belgium, all in computer science. He is currently
a professor of computer science, Department of
Computer Science, City University of Hong Kong
(CityU), Kowloon. In 2006 and 2008, he was
awarded HK $22 millions from the Innovation
and Technology Fund of the Hong Kong SAR
Government for two projects with the intentions of designing and
implementing cyber crossplatform secure communications to integrate
the Internet with 3G, WiFi, WiMAX, ad hoc, sensor, and PSTN networks
for realtime multimedia communications such as VoIP. In these fields,
he has authored more than 300 publications in international journals,
books/chapters, and refereed international conference proceedings. He
has coauthored (with W. Zhou) the book Distributed Network Systems
(Springer, 2006), which contains extensive research materials and
implementation examples. His research interests include wireless
communication and networks, distributed systems, and multicast and
anycast QoS routing protocols for the Internet. He has served as the
editor and guest editor of several international journals and has been a
program committee (PC) chair, a PC member, and a keynote speaker
for various prestigious international conferences. He was a recipient of
the Best Paper Award at a prestigious IEEE conference. He has been
listed in the Marquis Who’s Who (VIP) in the World (20002008). He is a
member of the ACM and a senior member of the IEEE.
> For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.
YU ET AL.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 425
experiments. However. and they can be used to carry out any attack under the control of the attacker. typical DDoS attacks and Distributed Reflection DenialofService (DRDoS) attacks. The implementation of the proposed method brings no modifications on current routing software. routers are required to observe and record entropy variations of local flows. such as network bandwidth. we have limited real data sets about DDoS attacks. The next step for the attacker is to install new programs (known as attack tools) on the compromised hosts of the attack network. and vulnerability to packet pollutions. the attacker(s) first establishes a network of computers that will be used to generate the huge volume of traffic needed to deny services to legitimate users of the victim. our proposed method can work independently as an additional module on routers for monitoring and recording flow information. Our analysis. The proposed method will be effective for future packet flooding DDoS attacks because it is independent of traffic patterns. Some previous works [23] depend heavily on traffic patterns to conduct their traceback. and then submits requests to the related immediate upstream routers. On the other hand.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 413 probabilistic mass distributions [33]. therefore. Then the reflectors send the victim a great volume of traffic. and the destination address of the packet. To create this attack network. In this paper. Our entropy variationbased IP traceback model is proposed in Section 3. Understanding the features of DDoS attack is critical for effective attack traceback. In this paper. Unlike the typical DDoS attacks. Numerous zombies together form an army or botnet [3]. it will start the traceback procedure. they will forward the requests to their immediate upstream routers. Because of this essential change. and simulations demonstrate that the proposed traceback mechanism is effective and efficient compared with the existing methods [23]. Vulnerable hosts are those that are either running no antivirus or outofdate antivirus software. traffic patterns have no impact on the proposed scheme. The current knowledge of DDoS attack can be classified as follows: inference based on partial information [34]. Once a DDoS attack has been identified. [34]. 2 BACKGROUND AND RELATED WORK . Detailed analysis of the proposed scheme is conducted in Section 4. real network emulation [35] or simulations [36].YU ET AL. or those that have not been properly patched. respectively. The proposed strategy is fundamentally different from the existing PPM or DPM traceback mechanisms. which is extremely hard to achieve on the Internet. In particular. The hosts running these attack tools are known as zombies. and there is no packet marking in the proposed strategy. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. the army of a DRDoS attack consists of master zombies. Both PPM and DPM require update on the existing routing software. the victim initiates the following pushback process to identify the locations of zombies: the victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated. attackers discover vulnerable hosts on the network. slave zombies. to identify the attacker sources further. because they believe that the victim was the host that asked for it. and real attack and defence between two cooperate research groups [37]. and reflectors. . we can deal with any complicated attack patterns. The related algorithms are designed in Section 5. . such as limited scalability. The proposed method can archive realtime traceback to attackers.1 Background of DDoS Attacks DDoS attacks are targeted at exhausting the victim’s resources. 2. they expected that traffic patterns obey Poisson distribution or Normal distribution. the proposed strategy overcomes the inherited drawbacks of packet marking methods. huge demands on storage space. There are two categories of DDoS attacks. and operating system data structures. to exhaust the victim’s resources. as a reply to its exhortation for the opening of a new connection. exhorting these machines to connect with the victim. These are exploited by the attackers who use the vulnerability to gain access to these hosts. we. Once the shortterm flow information is in place at routers. The difference in this type of attack is that slave zombies are led by master zombies to send a stream of packets with the victim’s IP address as the source IP address to other uninfected machines (known as reflectors). and it outperforms the available PPM and DPM methods. we use flow entropy variation or entropy variation interchangeably. computing power. Section 6 focuses on the performance analysis for every aspect of the proposed mechanism with Section 7 summarizing the paper and discussing future work. Once the immediate upstream routers have identified the attack flows. and the victim notices that it is under attack. this procedure is repeated in a parallel and distributed fashion until it reaches the attack source(s) or the discrimination limit between attack flows and legitimate flows is satisfied. the master computer orders the zombies to run the attack tools to send huge volume of packets to the victim. However. For example. In a typical DDoS attack. The workload of traceback is distributed. even legitimate traffic pattern mimicking attacks. During nonattack periods. We categorize packets that are passing through a router into flows. and the overall traceback time mainly depends on the network delays between the victim and the attackers. The rest of the paper is organized as follows: Section 2 describes the background of DDoS attacks and the related work which has been done so far on IP traceback. . was taken to measure the instant difference between two flows [32]. which are defined by the upstream router where a packet came from. can avoid the inherited shortcomings of the packet marking mechanisms. it possesses the following advantages: . [35]. To launch a DDoS attack. we propose a novel mechanism for IP traceback using information theoretical parameters. therefore. and communicating with its upstream and downstream routers when the pushback procedure is carried out.
i ¼ 0. MARCH 2011 2. the proposed FIT algorithm can traceback the attack paths with high probability after receiving only tens of packets. 14 out of 25 bits. similar to PPM. Savage et al. a large checksum cord C ¼ CðMx Þ(N À log2 l À jMi jbits). . . Snoeren et al. The second algorithm targets propagating the IP addresses of the routers that were involved in marking certain packets by loading them into packets going to the same destination.414 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. is essential in solving the DDoS attack challenge.. the victim can traceback the leaves on an attack tree. In [21]. bi includes three parts: an index of the pieces (log2 l bits). then Pr ob½X1 > x ! Pr ob½X2 > x. it is infeasible when the path is long or there is insufficient unused space in the original packet. [42]. 22. The model bears a very strong assumption: the traffic pattern has to obey the Poisson distribution. For a router on the attack tree. for example. which is hard for hackers to predict. the randomizeandlink approach to implement IP traceback based on the probabilistic packet marking mechanism was proposed. [24]. The victim can reconstruct the message efficiently by checking the cord and the index sequence. the traffic that targeted the victim was measured to construct the attack diagram. The packets are digested using bloom filter at all the routers. The first one preserves the marking information at intermediate routers in a specific way so that it can be collected using a linklistbased approach. which end at the victim. 1 bit of the fragmentation index.g. The PPM method is vulnerable to attackers. and therefore. [24] first introduced the probabilitybased packet marking method.g. PPM requires all the Internet routers to be involved in marking. which is not always true in the Internet. tried to traceback the attackers using traffic rates of packets. which records the router address to the packet with probability. N bits. Moreover. Therefore. The idea is to have every router X to fragment its unique message Mx (e. The FIT algorithm also performed well even in the presence of legacy routers and it is a scalable algorithm for thousands of attack sources. The algorithm targets two aspects: to reconstruct the marks from the marker efficiently and to make the PPM more secure against hackers’ pollution. the Poisson distribution. The summary of the existing DDoS traceback methods can be found in [38] and [39]. 2 bits for fragmentation index. two hybrid schemes that combine the packet marking and packet logging method to traceback the attack sources are proposed—Distributed LinkList Traceback (DLLT) and the Probabilistic Pipelined Packet Marking (PPPM). [40] studied the marking technique to improve the PPM mechanism. the receiver can identify the source location of the packets once it has sufficient information of the marks. and a piece of Mi . However. The edge sampling algorithm fixed the problems of the node sampling algorithm to some extent. l (jMi j bits). If X1 and X2 are two flows on the attack tree. on the routers of the attack path. which appends each node’s address to the end of the packet as it travels from the attack source to the victim. Law et al. M0 . 8x. there was a tree which was rooted at the victim.2 Related Work of IP Traceback It is obvious that hunting down the attackers (zombies). node appending. Based on the PPM mechanism. However. In general. The deterministic packet marking mechanism tries to mark the spare space of a packet with the packet’s initial router’s information. . centralized processing on the victim. They broke the 16bits marking space into three parts: 1 bit for distance. the traceback strategies are based on packet marking. . therefore. Packet marking methods include the PPM and the DPM. At the same time. in [23]. . and then identified where the attackers were located. At the same time. . This traceback method heavily depends on the queuing model. The router assembles the mark as bi . and it requires the traffic flows to obey specific patterns. it also places a significant strain on the storage capability of intermediate routers. The methods can even traceback a single packet. the outgoing flow included two parts: the locally generated flows and the transit flows from the upstream router(s) of the attack tree. the DPM mechanism cannot avoid pollution from attackers. which were targeted on the victim [23]. Yaar et al. IP address. most of the PPM algorithms suffer from the storage space problem to store large amount of marked packets for reconstructing the attack tree [22]. as attackers can send spoofed marking information to the victim to mislead the victim. Based on these logged information. we can treat the cord as a random number. it requires large number of packets to improve the accuracy of the attack path reconstruction. The cord is quite large. Based on the PPM mechanism. VOL. all of them are used rarely in a common IPv4 packet). it inherits the disadvantages of the PPM mechanism: large amount of marked packets are expected to reconstruct the attack diagram. Then. the probability of a packet marked by a router d that hops away from the victim is pð1 À pÞdÀ1 . and it may require very large amount of marks for packet reconstruction. . The major problem of DPM is that it involves modifications of the current routing software. proposed a method by logging packets or digests of packets at routers [41]. an edge sampling algorithm was proposed to mark the start router address and end router address of an attack link and the distance between the two ends. and it is easy be fooled by attackers using packet pollution.g. and a hash fragmentation of 13 bits. By this modification.. The authors proposed the node sampling algorithm. NO. 3. the router calculates the checksum C ¼ CðMx Þ. . Moreover. and 8 bits of service type. IP address) into several pieces. Obviously. Moreover. e. as pointed out in [30]. e. Based on the number of marked packets. and X1 is the upstream flow of X2 . M1 . and the victim can reconstruct the paths that the attack packets went through. and further to the hackers.. The PPM mechanism tries to mark packets with the router’s IP address information by probability on the local router. p. which is 25 bits in the paper: 16 bits of fragmentation ID. we can reconstruct the attack path. In [22]. The accuracy of PPM is another problem because the marked messages by the routers who are closer to the leaves (which means far away from the victim) could be overwritten by the downstream routers on the attack tree [21]. They focused on the traffic flows. The victim will collect all the marked packets from the routers and reconstruct the attack tree based on the traffic rates of the different routers. Ml . named as cord. 1. and injects bi randomly into the unused IPv4 packet header (say. Therefore.
therefore. a router knows its local topology . 2 has two different incoming flows—the ones from the upstream routers Rj and Rk . 3 SYSTEM MODELING FOR IP TRACEBACK ON ENTROPY VARIATIONS 3. 1 as a sample network with DDoS attacks to demonstrate our traceback strategy. In the rest of the paper. as shown in Fig. Jin and Yang [27] improved the ID coding of the deterministic packet marking scheme using redundant decomposition of the initial router IP address. furthermore. the edge router of LAN0 can infer that the attackers are located in the local area network. and V will notice the dramatic changes. it can pushback to the LANs. Moreover. We denote a flow on a local router by <ui . to identify the abnormality of DDoS attacks [6]. the victim can trace which router the packets came from. the router embeds its IP address into the packet by chopping the router’s IP into two segments with 17 bits each (16 bits for half of the IP address and 1 bit works as index). will not be able to sense the variations. and 1831 bits. respectively. and t is the current time stamp. such as R2 and R3 . R5 . 1. Observers at routers R1 . LAN0 . preserving these addresses while avoiding the need for longterm storage at the intermediate routers. however.g. Belenky and Ansari [25] noticed that the PPM mechanism can only solve large flooding attacks. attackers could cheat this feature by increasing attack strength slowly. We notice that entropy variation is only one of the possible metrics. which is a measure of randomness. The traceback request is then further passed to the upstream routers. For example. and R as the set of real numbers. there are attackers behind router R4 .1 A Sample Network with DDoS Attacks In order to clearly describe our traceback mechanism. let us have a close investigation on the flows of a router. Then the traceback requests are further delivered to the edge routers of LAN0 and LAN1 .. and the destination address of the packet. its upstream routers. We employ entropy variation in this paper to measure changes of randomness of flows at a router for a given time interval. the edge router of LAN1 finds that there are attackers in LAN1 . R4 . dj is the destination address of a group of packets that are passing through the local router Ri . In Fig. changepoint of flows. where ui is an upstream router of a local router Ri . 922 bits. 1. the paper proposed a deterministic packet marking method for IP traceback. As a result. the local area network attached to the router. fðxÞ can be recovered given fðxÞ evaluated at d þ 1 unique points. Similar to the victim. such as f1 and f2 . i. as shown in Fig. dj . once the victim realizes an ongoing attack. Therefore. and no attackers are behind router R2 . Chen and Hwang used a statistical feature. We name this kind of flows as transit flows. We can also employ other statistic metrics to measure the randomness. We name the router that we are investigating now as a local router. the local router Ri in Fig. Dean et al. j 2 I. and there is no more marking for the packet. Therefore. t 2 R.2 System Modeling In this paper.YU ET AL. PPM is vulnerable if hackers inject marked packets into the network. Compared with nonattack cases. such 3. We choose entropy variation rather than others in this paper because of the low computing workload for entropy variations. however. Entropy is an informationtheoretic concept. we can identify the locations of attackers. Every ingress router writes its own IP address into the outgoing IP packet header. Another type of incoming flows of the local router Ri is . Generally. e. one group is behind the link to LAN0 and another group is behind the link to LAN1 . Different from PPM. as f3 . the routers who are not in the attack paths. which caused the changes based on the information of flow entropy variations. and a combination of attack flows and legitimate flows.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 415 Fig. they divided them into three redundant segments. The victim can reassemble the source router IP using the packets it has received. [26] proposed a deterministic packet marking strategy for IP traceback. and then five different hash functions are applied on the three segments to create five results. First. and it is not applicable for attacks consisted of a small number of packets. Their idea is that for any polynomial fðxÞ of degree d in the prime field GF ðpÞ. the volumes of some flows increase significantly in a very short time period in DDoS attack cases. based on its knowledge of entropy variations. the victim knows that attackers are somewhere behind router R1 . The basic idea is that at the initial router for an information source. 1. t>. we use Fig. A sample network with DDoS attacks. 2. The resulting eight segments are recorded in the outgoing packets randomly. respectively. The traceback can be done in a parallel and distributed fashion in our proposed scheme. such as standard variation or highorder moments of flows. for encoding traceback information. Then the traceback request is delivered to router R1 . router R1 knows that there are two groups of attackers. They used an algebraic approach. and the downstream routers. the flows with destination as the victim include legitimate flows. and therefore. In a DDoS attack scenario. For an IP address. A flow is defined by a pair—the upstream router where the packet came from. we categorize the packets that are passing through a router into flows. we use I as the set of positive integers. Similarly. 013 bits. until we locate the attackers in LAN5 . Based on entropy variation information of router R3 . originally developed for coding theory and learning theory.
g. Based on the large number theorem. During a DDoS flooding attack. we compare our proposed method with the representatives of DPM [42] and PPM [22] algorithms. i. dj 2 D. The features of a standalone router are analyzed first. dj . For a given time interval ÁT . In order to make the presentation tidy. Both of these two schemes are used as the benchmark in [43] as well. Routers process more than 20 Mpkts/sec (roughly 2 OC192 links. and all the flows leaving router Ri are named as output flows. It chooses one source (attacker) and one destination randomly from a tierone ISP made up of roughly 70 backbone routers with links ranging from T1 to OC3. which is treated as the most scalable PPM algorithm. dj . therefore. and there are around 1. dj . The settings and network environment for the proposed algorithm are the same as that of DPM [42] and PPM [22]. There is no extraordinary change of network traffic in a very short time interval (e. dj Þ ¼ P1 P1 . dj Þ pij ðui . tÞj as the count number of packets of the flow fij at time t. the change of traffic is quite smooth in our context. and set U as the set of incoming flows of router Ri . we first compare the proposed model with the existing proposals in order to show the advantages of the proposed mechanism. The routers between the source and the destination perform packet digests using a bloom filter. dj Þ: ð4Þ In order to differentiate from the original definition of entropy. tÞj ¼ 0. dj Þ ð3Þ 4. such as sampling probability p ¼ 0:05. t þ ÁT Þ is the number of packets of flow fij . Fig. and it shows clearly that the proposed mechanism outperforms the other two mechanisms in terms of scalability (the size of attack network that we can handle). and the average packet size is 400 bytes as indicated in the paper. VOL. and we calculate the related storage space and traceback time as the parameters provided by the paper. Therefore. dj . We take [42] as the representative for DPM mechanism because it is a typical research instance for that category. U ¼ fui .2 Analysis of EntropyVariationBased Traceback Model We present our assumptions below in order to make our analysis simple and clear. dj . e. t þ ÁT Þ in the rest of this paper. then Nij ðui . dj . The comparisons are listed in Table 1. We use [22] as an instance for the PPM strategy. dj Þ to represent Nij ðui . i 2 Ig to represent the destinations of the packets that are passing through the local router Ri . NO. or 8 OC48s). i 2 Ig þ fLg. t þ ÁT Þ ¼ jfij ðui . generated at the local area network. there are no fundamental changes. dj Þ log pij ðui . t þ ÁT Þj À jfij ðui . and the improvements are limited compared to our proposed methodology. We assume the following: 1. 2. 22. t>jui 2 U. followed by the investigation on the properties of the whole attack tree of a DDoS attack. . which went through the local router during the time interval ÁT . in the comparisons.416 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. we call H(F) as entropy variation in this paper. and we use L to represent the local flows. Traffic flows at a router on an attack path. MARCH 2011 4 TRACEBACK MODEL ANALYSIS In this section. dj . If we break down these changes into seconds. However. we call these local flows. However. The number of attack packets is at least an order of magnitude higher than that of normal flows. dj Þ gives the probability of P flow fij over all P the 1 the flows on the local router.. 3. we have the probability of each flow at a local router as follows: Nij ðui . traceback time (the overall time we need from the start time until the end of tracing process). 4. i 2 I as the immediate upstream routers of the local router Ri . tÞj: ð2Þ If we set jfij ðui . We name all the incoming flows as input flows. We then analyze the proposed entropy variationbased traceback model in detail.000 flows at a router. a flow at a local router can be defined as follows: fij ðui . There are some improvements for DPM by distributing logging information among routers [29] and PPM by reducing the probability of sampling [43]. then v 2 D. and 1 i¼1 j¼1 pij ðui . respectively. which measures the variations of randomness of flows on a given local router..1 Comparison of Traceback Models In order to show the advantages of the proposed mechanism. i¼1 j¼1 Nij ðui .j pij ðui . dj Þ ¼ f<ui . the number of attack packets where pij ðui . It is true that the network traffic for a router may dynamically change a lot from peak to offpeak service times. Let F be the random variable of the number of flows during the time interval ÁT on a local router. we define the variation of the number of packets for a given flow as follows: Nij ðui . this kind of change lasts for a relatively long time interval. If v is the victim router. We denote ui . dj .g. dj Þ ¼ 1. We use a set D ¼ fdi . we use Nij ðui . Therefore. storage (the storage space that we need on routers or victims to conduct IP traceback). 2. at least at the level of minutes. j 2 Ig: ð1Þ We denote jfij ðui . and the operation workload (the operations on possible routers or victims). at the level of seconds) for nonDDoS attack cases. we define the entropy [33] of flows for the local router as follows: HðF Þ ¼ À X i.
this assumption is reasonable. We know that H À ðF Þ is quite stable for a long time period. For a local router. the number of attack packets is much higher than that of legitimate flows. The local router’s entropy variation is. Respectively) increases dramatically. . pN Þ ¼ À N X i¼1 We divide our timeline into two segments for the following investigation: before DDoS attack and under DDoS attack. . p2 . 3. this is the lower bound that we can discriminate attack flows from the legitimate flows (see the experiments in Section 6). . and the standard variation of H À ðF Þ be . We justify our threshold to make the following equation holds with high probability: jH À ðF Þ À Cj : ð7Þ In order to make the mean C and standard variation adaptive to the network traffic variations. and C be the mean of H À ðF Þ. . the attack paths may overlap as well. . pN g. [34]. We can simplify the expression of entropy of (4) as follows: HðF Þ ¼ Hðp1 .YU ET AL. therefore. denoted by H À ðF Þ and H þ ðF Þ. . Consequently. Only one DDoS attack is ongoing at a given time. suppose that the number of flows is N.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 417 TABLE 1 The Comparison of the Entropy Variation Mechanisms against DPM and PPM (with the Same Settings and Network Environment. p2 . . but we only consider the one attack scenario to make it simple and clear. . respectively. and the probability distribution is P fp1 . and the attack packets are generated by thousands of zombies or bots [3]. and in this paper. It could be true that a number of attacks are ongoing concurrently in the Internet. 4. Of course. for the nonflooding attacks. this may not hold. Let be a reasonable threshold. we focus on the majority of the attack tools—flooding attacks. . The number of flows for a given router is stable at both the attack cases and nonattack cases. let C½t ¼ ½t ¼ n X i¼1 n X i¼1 i Á C½t À i. Furthermore. Therefore.
ð8Þ ð9Þ . n X i¼1 n X i¼1 i ¼ 1.i Á ½t À i.
n are the weights for the n past samples. . j 2 I. and there are no packets going through the local router for the other flows. 2. . respectively. . The values of i ði ¼ 1. . . . .i ¼ 1. we have the following special cases to reach the lower bound and the upper bound. we have the upper bound when p1 ¼ p2 ¼ Á Á Á ¼ PN . ½t À i and . and i . respectively: when there is only one flow alive during the sampling time interval. . The same for ½t. pk ¼ 0. . we obtain the upper bound and lower bound of H(F) as follows: 0 HðF Þ log N: ð6Þ We reach the lower bound when pi ¼ 1. 1 i N. HðF Þ ¼ 0. In order to reflect the nearest changes. 2. nÞ are fixed and could be decided by the experiments of nonattack cases. N. . k ¼ 1. . and k 6¼ i. when the number of packets for each flow is the same among all the flows at a local router. i ¼ 1. Based on our definition of the random variable of flows. pi log pi : ð5Þ Based on the characteristics of the entropy function [33]. let i > j for i < j. then we have HðF Þ ¼ log N. 2. . i. where C[t] represents the current mean. C[t À i] is the mean of the ith sample instance in the near past.
. respectively. . In order to find the immediate sources of the attack flows from the upstream routers. we sort the flows <ui . . ui 2 U increase significantly. The evolutions will be suspended when a DDoS attack is ongoing. . Niv ðui . v>. i ¼ 1. v>. ui 2 U in terms of number of packets of a given attack flow. then the following equation holds with high probability: jH þ ðF Þ À Cj > : ð10Þ Moreover. 2. we know that the reason behind this is that the packet numbers of flows <ui . vÞ.i . If an attack flow is going through a local router. n. We calculate the entropy variation .
in other words. In other words. . Let X be the random variable for the flow distributions. Then the traceback requests are further forwarded to the elements of set fui g. . We use the network in Fig. ð12Þ jH þ ðF nLÞ À Cj : Then L. For a nonattack case. 3. Lemma 2. . ð11Þ where F n maxðf<ui . . with the probability distribution of p1 . Let fðxÞ ¼ x log x. The traceback processing terminates under the following conditions: & L ¼ maxf<ui . . . . in other words. We now investigate the features of the entropy variation when a DDoS attack is ongoing. . v>g means taking the maximum element from set f<ui . and it also introduces possible false positive and false negative. . . we have analyzed the characteristics of a local router with and without DDoS attacks. 3. as a result. f2 . 2 Þ ¼ Z À À Fig. then the probability of false positive and false negative can be expressed as follows: Z À1 Z fðxÞdx þ fðxÞdx. we assume that there are n incoming flows. . Suppose that is the true value of the threshold. P ðX 0 Þ ¼ fp0 . Let pi . we have EfðXÞ ! fðEXÞ. and it reaches the minimum. For a local router on an attack path. namely p1 ¼ p2 ¼ Á Á Á ¼ PN . the flows of the local area network. x ! 0. A sample attack tree near the victim. . when the distribution is extremely uneven. . p1 g be the 1 2 N distribution when attack flows are passing through the local router. and we have 0 1 2 < 1. Then the subset fui g U. . the entropy variation of the output flows is not greater than the summation of the entropy variation of the incoming flows. . 1 Þ ¼ PF N ðx. 1 i N represent the instance of the < attack flow. Based on i¼1 fðxÞdx þ Z 1 2 fðxÞdx. x ! 0. pi ¼ 1. p2 . ÀEfðX0 Þ > À EfðX 1 Þ. say. then p0 < p1 . . . Therefore. k ¼ 1. It is also important to have a deep understanding of the changing patterns of entropy variation among routers on an attack tree. MARCH 2011 reiteratively by taking the suspicious flows out starting with the flow which has the greatest packet number. and k ¼ i. Equation (13) gives the probability of false positive when the chosen threshold 1 is less than the true value . . v>gÞ À Cj . . As mentioned at the beginning of this section. Therefore. v>g from set F . and further ÀEfðXÞ ÀfðEXÞ holds. We know that f(x) is a monotonically increasing convex function. 22. Lemma 1. flows are passing through the local router. . . . it is clear that when a DDoS attack occurs. fi2 . p0 . until the difference between the entropy of the remaining flows and the mean is less than or equal to the threshold. Based on (6). . namely (7) holds with high probability. fn (n upstream routers pump packets to one router). pN g be the distribution of flows at a local router. respectively. P specifically À N p0 log p0 > À N p1 log p1 . p2 . . we suppose that the variation of the nonattack flows remain at the same level. We denote the probability density function as a continuous function fðxÞ. is the set of suspicious immediate sources of the DDoS attack. is a monotonically decreasing concave function. u t Theorem 1. 3 as a sample for this study. pni . For a router in Fig. p1 . NO. . Applying Jensen’s inequality [33] to fðXÞ.418 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. . which includes the upstream routers that we have taken out before (11) holds. Compared with the nonattack situation. when the distribution is even. Proof. N. H À ðF Þ > H þ ðF Þ. let fi1 be the attack flow. the i > i i¼1 i i¼1 i > > result HðX0 Þ > HðX1 Þ. The entropy i i i variation of flow fi is given by the following equation: À Á Hðfi Þ ¼ H p1 . Our traceback procedure starts when a DDoS attack alarm has been raised. > H À ðF Þ > H þ ðF Þ. v>g. . the distribution moves toward the extreme uneven point. we know that entropy variation reaches the maximum. Then P the output flow entropy variation is Hð n fi Þ. therefore. p2 . . . fi1 . . 3. Compared with the nonattack scenario. . ð13Þ PF P ðx. 1 6 i N. it has ni subflows. the number of packets of each flow is stable as we assumed. ð14Þ À2 where fðxÞ could be Gaussian distribution in practice. and P ðX 1 Þ ¼ fp1 . ÀfðxÞ ¼ Àx log x. pni : ð15Þ i i i t u Without loss of generality. respectively. We also know that entropy is a monotonic function [33]. We further have EX0 < EX 1 and i < i > P > ÀfðEX0 Þ > ÀfðEX1 Þ. the entropy variation HðF Þ is stable with minor fluctuations. u t Let P ðXÞ ¼ fp1 . . the process stops when the following equation holds: jH þ ðF n maxðf<ui . the upper bound of entropy variation drops when DDoS attack flows are passing through a local router. logN. . 2. . Hence. Therefore. For any incoming flow fi . f1 . Proof. is the attack source of that branch on the attack tree. pk ¼ 0. fini (flows share one upstream router with different destinations). The threshold is important for us to make the decision. VOL. p0 g be the distribution for 1 2 N the nonattack case. Proof. the upper bound of the entropy variation drops. while (14) gives the probability of false negative when the chosen threshold 2 is greater than the true value . . the entropy variation of a local router drops dramatically when attack . So far. 0.
. l2 . We know that jH À ðF Þ À Cj holds with high probability for a local router before a DDoS attack occurs. which is at a millisecond level usually. we have more and more information about the ongoing attack. Moreover. There are two reasons why this parameter is important. 4). . Then H À ðF Þ % H þ ðF Þ. . A1 .YU ET AL. In [23]. a1 . and vice versa. and the . the entropy variation cannot discriminate them. and the length of the most far away zombies is three hops away. However. and A4 . we know that four attackers. 5 minutes. say. therefore. jH þ ðF Þ À Cj holds with high probability. Unfortunately. . . and there are totally N zombies. A sample traceback branch in an attack tree. Based on the partial information of the attack that the traceback algorithm has accumulated. N. which are going to be traced and the distances between attackers and the current local router. Theorem 4 is quite important for the traceback algorithm to make a decision on when to terminate the pushback procedure. the height of the tree is n. Then. In Fig. Of course. [34] indicated that the average attack duration is around 510 minutes for typical DDoS attacks. and we have knowledge of k attack packet rates. Theorem 4 (Termination condition for traceback). the total time for traceback. we take 31 hops as the maximum hops between two end points on the Internet. ln . 1 i k to represent the distribution of ti . . and from the diagram. say. We use Fig. Suppose that the attack network is a dbranch tree. 1 i k. This theorem can be easily concluded from lemma 2 in an attack tree. we are close enough to the zombies in this case. we also know the output attack packet rate of the current local router. Based on [34]. Based on (17) and inequality (18). we can estimate the number of zombies to be traced and the maximum length to the most far away zombie(s). the period from starting traceback procedure to zombies are identified. then the mean of a1 . ln Þ. a ¼ k pi Á ai . and therefore. The entropy variation drops when a local router is closer to the victim. say. respectively. however. within 10 times range. 4. a2 . Suppose that the zombies are distributed evenly in the attack tree. the maximum hops between two end points at the Internet are 31. we obtain P log n log N À log k pi Á ai i¼1 % : ð19Þ lmax ! log d log d From (17) and inequality (19).: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 419 n% N N ¼ Pk : a i¼1 pi Á ai ð17Þ For a dbranch tree (d ¼ 2 in Fig. Moore et al. . namely jH þ ðF Þ À Cj holds with high probability. ak is close enough to the mean of all zombies in the P whole attack tree if k is sufficient enough. and the fact that H(p) is convex implies that ! n n X X ð16Þ Hðfi Þ ! H fi : i¼1 i¼1 Let lmax ¼ maxðl1 . . . A2 . However. in this case. . . Theorem 3 (Estimation on traceback distance and number of zombies). ak when we reach the current router. the traceback request has been submitted to router R4 . is a critical parameter for any traceback algorithms. router R4 in Fig. Further. . there are no DDoS attack packets passing through the local router. the experiments were conducted with the maximum hops as 23. 4. estimate the number of attackers. in i¼1 terms of statistics. we can estimate the number of zombies to be traced and the maximum length to reach the most far away zombie(s). Therefore. We can. the following equation holds: n X i¼1 dÀli 1: ð18Þ Fig. if the attack flows are similar to the legitimate flows in terms of packet rate. are to be traced. . and the maximum of the length to the most far away zombie(s) with the knowledge of the attack that we have collected so far on the way to router R4 . Jensen’s inequality. a2 . another reason is that we would be able to reduce the damage caused by DDoS attack if we could identify the zombies earlier. . l2 . A3 . 1 n 31: ð20Þ Let the normal delay between two routers in nonattack scenario be t. this knowledge is not available to our traceback algorithm. . an effective traceback procedure has to be completed within this time limitation. we assume that the distance from the current node (the local router) to the n leaves (zombies) is given as l1 . Suppose that the zombies are distributed evenly. There are no attackers at the upstream routers if a local router’s entropy variation is reasonable. respectively. From the Kraft inequality [33]. With the progress of the traceback procedure. we can estimate the number of zombies that are located behind router R4 . 4. n X i¼0 Theorem 2 (Entropy variation convergence of attack flows). We use pi . 4 as a sample attack branch for this investigation. Ef ! fðEXÞ when f is convex. the attack tree is a dbranch tree. However. block them earlier. . We use n to denote the number of zombies to be traced. When a DDoS attack is ongoing. therefore. we can infer the number of attackers to be traced in the branch as (17) di N. and therefore.
the second task is to demonstrate the relationship between the drop of flow entropy variation and the increase of attack strength. 5.420 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. The IP traceback algorithm on a router. ð31 À nÞ Â di . the local flow monitoring algorithm and the IP traceback algorithm. The numerical results will be shown in Section 6. the traceback time can be calculated as follows: T ¼tÂ n X i¼0 modules at routers. in order to evaluate our scheme. There are two algorithms in the proposed traceback suite. and the second part was to demonstrate the effectiveness of DDoS attacker traceback and the overall traceback time. 1. we have carefully conducted extensive simulations and real case observations. and evaluate the total traceback time. The progressing suspends when a DDoS attack is ongoing. our entropy variation traceback mechanism is independent from the topology of attack network and it is also independent from the network topology of victims. . 5 ALGORITHMS FOR THE IP TRACEBACK MODEL In this section. Consequently. and zombies are distributed in the attack tree uniformly. we further simulate the whole attack tree for traceback. and at the upstream routers. The proposed algorithms are independent from the current routing software. The local flow monitoring algorithm is running at the nonattack period. we can calculate the total traceback time to the most far away zombies using the proposed traceback method. and find out the fluctuations for normal situations. then the victim starts the IP traceback algorithm. 5. We note that. It is initiated by the victim. and progressing the mean and the standard variation of flows. delay on a link be proportional to the number of packets passing through the link. 10. The algorithm for local flow traffic monitoring. which is shown as Fig. We set the attack tree as a binary tree or threebranch tree. we design the related algorithms according to our previous modeling and analysis. Once a DDoS attack has been confirmed by any of the existing DDoS detection algorithms. the network security community lacks suitable data sets of real largescale DDoS attacks.000 packets per second of attack flows. such as. they can work as independent In this section. Then. it is triggered by the IP traceback requests from the victim or the downstream routers which are on the attack path. we evaluate the effectiveness and efficiency of the proposed entropy variation based on IP traceback mechanism. and it is even harder to find suitable data sets for our algorithms. Fig. 3. The IP traceback algorithm is installed at routers. so that we can identify the threshold for identifying attack sources. VOL. accumulating information from normal network flows. Our first task is to show that the flow entropy variation is stable for nonattack cases. MARCH 2011 Fig. As mentioned in Section 2. The simulation settings are arranged according to Fig. 510 minutes attack duration. As a result. 1 n 30: ð21Þ 6 PERFORMANCE EVALUATIONS Combining (20) and (21). We use the essential DDoS attack parameters as presented in [34] in our simulations. 6. The performance evaluation included two parts—the first one focussed on the entropy variation monitoring at a local router. 6. 22. we do not need to change the current routing software. The local flow monitoring algorithm is shown as Fig. NO. respectively.
015. we observe the stability of entropy variations at a local router during nonattack periods. Entropy variation against number of flows (sorted by traffic volumn per connection).: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 421 Fig. we conducted a real case study by collecting network flow information from a gateway server of our campus [44] over one week. for a router with around 500 flows. we increase the number of flows (the flows are sorted by traffic volume per connection) and check the variation of flow entropy variation on the gateway server. 7. the Poisson distribution flows and the Normal distribution flows. þ0:196. and the results are shown in Fig. 7 indicates that the entropy variation increases smoothly against the increase of the number of flows which are passing through the local router. then we will create false positive. and the difference of the variation entropies is quite limited. For example. We sorted the flows in different ways: by traffic volume per connection and by the number of connections for a given time interval. Æ25% and Æ50%. . and the standard variations (std) of the flows are 25 and 50. The results are shown in Fig. we will create false negative. Fig. 8. We notice that the entropy variation is steady and smooth as we found in the simulation. We examine two kinds of flows. There were thousands of flows per day from the collected data set. Entropy variation against number of flows (sorted by the number of connections). The results are listed in Figs. 9. 10. It indicates that the standard variation of the entropy variation is quite stable (the fluctuation is around 13 percent). we can use it as a benchmark to discriminate DDoS attack flows. when there is no DDoS attack. so that the confidence level is 1 À ¼ 95%. As previously presented by (13) and (14). and considered the top 1. if we set our discrimination threshold to be less than 0. 8. the variation is about 0. Based on Figs. and the corresponding confidence interval is ½À0:196.000 flows as input for the experiments. In Fig. We fix the number of Fig. 7. For confidence level in the simulations. moreover. This is one of the foundations for our proposed algorithms. the standard variation of entropy variation decreases when the number of flows increases. we take ¼ 0:05. 7 and 10. it is important to know the stability of the entropy variation against the fluctuations of flows in nonattack cases. while when we set to be greater than 0. We examine the real data set to observe the patterns of flow entropy variation against number of flows for each day in that week. Fig. In Fig. and the combination of Normal distributions with different parameters can be used to approximate most distributions. It also shows the similarity of the entropy variation patterns for the two distributions. we can further conclude that the entropy variation is stable against huge flow fluctuations and number of flows in nonattack cases. We conducted two simulations for this purpose: we make the mean of flows as 100 packets per time unit. respectively. The Poisson distribution is treated as the pattern of Internet traffic by most researchers. Moreover. We observe the changes of the entropy variation against the number of flows. We first investigated the impact on the entropy variation against the number of flows. We use the term attack strength to present the packet rate of attacks. we sort the flows by the number of connections for different clients. We investigate the changes of entropy variation when a DDoS attack is ongoing. In order to confirm this in reality. We therefore can conclude that the entropy variation is stable. The entropy variation against number of flows for Poisson and normal distributions. respectively.015. respectively. 9. Therefore. First. 7. 8 and 9. Furthermore. it is independent from specific distribution patterns as shown in Fig.015. even when the fluctuations of the flows are quite big.YU ET AL.
11 into Fig. the entropy variation at 10 hops away from the victim is much higher than that of router which is 2 hops away from the victim. and the most far away zombies are 10 hops away from the victim. namely. In these simulations. This confirms the conclusion of Theorem 2 of Section 4. respectively. From Figs. 100 flows. 10. we transformed the results of Fig. NO. respectively. the entropy variation of a router decreases when the router is getting closer to the victim. in order to have a direct presentation about the relationship between the decrease of entropy variation and the increase of attack strength. 10. it is easier for our proposed IP traceback strategy to complete its tasks. we can only discriminate DDoS attack flows when its attack strength is about seven times of the normal flow.015.g. for example.g. In general.. e. We have to point out that our method cannot traceback to zombies whose attack strength is less than seven times the legitimate flows. 12. in other words. 13 and 14. For each simulation. as this may cause false negative. 12 indicates that the decrease of entropy variation is 0. the variation entropy decreases when the attack flows get closer to the victim. for example. we can conclude that if a node in the attack tree possesses more .422 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. The results are shown in Fig. and we cannot further our traceback procedure once the attack strength is not strong. e. 13 and 14. We keep the packet rates of the nonattack flows at the same level. and among them. 22. The attach strength is the critical element for our traceback mechanism. namely. less than seven times of the legitimate flows. twobranch tree and threebranch tree. and our strategy is effective once Fig. the entropy variation converges faster in the threebranch attack tree compared with that of the binary attack tree because the attack strength is higher and concentrated in the first case. Fig. and 1. and they are distributed uniformly in terms of hops from the victim. say. packet flooding attacks. 11 indicates clearly that the entropy variation drops almost linearly with the increase of attack strength. and Fig.. The standard variation of entropy variation against number of flows with different standard variations. 3.000 flows. Fig. we examine three cases. flash crowds will create false positive if we start the traceback procedure at the victim site. The results for the binary tree and threebranch tree cases are shown in Figs. 11. The changes of entropy variation against strength of attacks. each hop has around 100 zombies. we ignore the hops with no zombies. We now consider the entire attack tree and investigate the convergence of entropy variation when a DDoS attack is ongoing. the attack strength is obvious from legitimate flows. Based on these two convergence simulations. Therefore. In Fig. Assume that there are 1. The relationship between the decrease of the entropy variation and attack strength. we have learned that the standard variation of entropy variation of nonattack flows is about 0.024 zombies in the following simulations.02 when the attack strength is seven times of the normal flow. 11. at least seven times stronger. there is one attack flow. For example. MARCH 2011 Fig. from 1 to 600 times of the nonattack flow packet rate. and increase the packet rate of the attack flow. Moreover. 500 flows. These two simulations also demonstrate that the change of entropy variation is related to the attack strength: higher attack packet rates result in greater drop of entropy variation.000. Furthermore. we find that the entropy variation converges when the attack flows are aggregated to the victim. We examine the convergence of the entropy variation with different attack tree structures. in other words. the proposed traceback method can deal with the majority of DDoS attacks. Another accuracy issue for our method is the false positive. VOL. flows for a local router as 1. 12.
we proposed an effective and efficient IP traceback scheme against DDoS attacks based on entropy variations. It is a fundamentally different traceback mechanism from the currently adopted packet marking strategies. On the other hand. We simulated each case for the binary attack tree and the threebranch attack tree. This simulation demonstrates that our method is better than the previous traceback method in terms of overall traceback time. and less than 7 seconds for threebranch attack tree for our traceback method. 15. and the results are shown in Fig. Fig. vulnerability to packet pollution from hackers and extraordinary challenge on storage space at victims or intermediate routers.YU ET AL. In order to estimate the overall traceback time. it is easier for us to conduct the traceback procedure. Many of the available work on IP traceback depend on packet marking. either probabilistic packet marking or deterministic packet marking. the proposed method needs no marking on packets. The zombies are evenly distributed in 10 groups in terms of hops away from the victim. It employs the features that are out of the control of hackers to conduct IP traceback. Fig. Compared with previous works. avoids the inherent shortcomings of packet marking mechanisms. respectively. Once a DDoS attack has been identified by the victim via detection algorithms. Based on [23]. and therefore. and it is less than 20 seconds if the most far away zombies are 23 hops away from the victim. This procedure continues until the most far away zombies are identified or when it reaches the discrimination limitation of DDoS attack flows. In [23]. and the results demonstrate that the proposed mechanism works very well in terms of effectiveness and efficiency. the victim then initiates the pushback tracing procedure. the proposed strategy can traceback fast in larger scale attack networks. in other words. the zombies are located evenly at the far end on the attack tree. Each of the groups can be anywhere from the victim: from 1 hop away to 31 hops away. it is shown in [34] that the average duration for DDoS attacks is 510 minutes. child nodes. 14. 7 SUMMARY AND FUTURE WORK Fig. then the entropy variation converges faster. if the number of hops between two Internet ends is 15. The traceback time for DDoS attacks. Moreover. The convergence of the entropy variation on a binary attack tree.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 423 Fig. so that our method can traceback to the most far away zombie effectively before it disappears from the attacking scene. It can traceback to the most far away zombies . We observe and store shortterm information of flow entropy variations at routers. As a result. In this paper. it was reported that their traceback time is about 20 seconds for a single attack source with maximum 23 hops away from the victim. we assume the same number of zombies (N ¼ 1. The traceback algorithm first identifies its upstream routers where the attack flows came from. 15. the 10 groups of zombies are located from 21 to 30 hops away from the victim. The convergence of the entropy variation on a threebranch attack tree. Extensive experiments and simulations have been conducted.024) and aforementioned parameters. then the general traceback time is around 10 seconds for the binary attack tree. and then submits the traceback requests to the related upstream routers. the packet marking mechanism suffers a number of serious drawbacks: lack of scalability. In the worst case. Because of the vulnerability of the Internet. 13. 15 shows that the total traceback time is about 25 seconds in the worst case (the most far away zombies are 30 hops away from the victim).
D. P. Dean. 2007.. 3. Sarac. 5. 9681001). “Survey of NetworkBased Defense Mechanisms Countering the DoS and DDoS Problems. M. 1. IEEE INFOCOM. 11371151. 2007. vol. 2009. “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack. and K. Anderson. and T. 2005. http://www. Magazine. no. vol. Franlin.. “Design and Implementation of Network Puzzles. 2005. Patrikakis.E. 226237. IEEE INFOCOM. “Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback. the proposed method cannot succeed at the moment. pp. pp. K. Lee. 18641876. Letters.g. . M. Parallel and Distributed Systems.” IEEE Internet Computing. no. Singh. 2009. Varghese. We have a strong interest to explore this for the whole attack diagram. and D. 6. 16. pp. [27] [28] [29] [5] [6] [30] [31] K. In this paper. e. Parallel and Distributed Systems. 50365056. Mar. vol. Goodrich.. W. 4. This makes it a feasible and easy to be implemented solution for the current Internet. Govindarasu. no. Park and H. Apr. 799813. and J. 2003. Parallel and Distributed Systems. A.. Apr. July 2003. Apr. X. 119137. Baba and S. We have a high interest to explore this issue. Parallel and Distributed Systems. Zhou. 403418.Mar. “Distributed Denial of Service Attacks. Therefore. “An Algebraic Approach to IP Traceback. May 2006.” IEEE/ACM Trans. A. Jin and J.” IEEE/ACM Trans.. 1. 141155. “Probabilistic Packet Marking for LargeScale IP Traceback. Zhou. June 2001. Wang. Networking. May 2007. A. e. pp.” IEEE Trans. “Network Support for IP Traceback. “Controlling IP Spoofing through Interdomain Packet Filters. “Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks. A. and A. “Deterministic Packet Marking Based on Redundant Decomposition for IP Traceback. vol.” The Internet Protocol J. Ramamohanarao. no. 9. 18531863. vol. Song. 10. T.June 2006. pp. 162164. “A DivideandConquer Strategy for Thwarting Distributed DenialofService Attacks. Kaiser.547. 66. Xu and W. Lui. ACM SIGCOMM. Differentiation of the DDoS attacks and flash crowds.” J. Chen. Feng. 2236. “StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense. 2. 2007. pp. vol. vol. Oct.” IEEE Trans. Marchany. 1. 51. R. pp. Parallel and Distributed Systems. and G.” IEEE Comm. Computers. “Sustaining Availability of Web Services under Distributed Denial of Services Attacks. Park. pp. 2005. MARCH 2011 within 25 seconds in the worst case under the condition of thousands of zombies. X. pp.” Proc. vol. pp. Duan. Chandrashekar. Jin. Oct. T. vol. Information and System Security. 24. C. Wetherall. pp.” IEEE Trans. J. Mar. [14] [15] [16] [17] [18] [19] 3. Research Grants Council of the Hong Kong SAR. 577588. Ansari.” Proc. Feb. no. we did not consider this issue—the proposed method may treat flash crowd as a DDoS attack. no.” ArborNetworks. for the attacks with small number attack packet rates. Markopoulou. and A. J. Selected Areas Comm. Oct. “PacketScore: A StatisticsBased Packet Filtering Scheme against Distributed DenialofService Attacks. 2. pp. Luu. A. 2006.. and M. M. resulting in false positive alarms. 3.g. 204206.. Argyraki. 16. a metric of finer granularity is required to deal with such situations. vol. IEEE INFOCOM. 1425. Belenky and N. Savage. J. the network tomography. A. 2008. “EntropyBased Collaborative Detection of DDoS Attacks on Community Networks.” Proc. However. no.g. 2. no. But You Can’t Hide: An Effective Statistical Methodology to Traceback DDoS Attackers. Lu et al. Soldo. E.T. vol. 2006. 2007. 2002.Y. 2006. Dependable and Secure Computing.K. 2026. pp. R. 52.. Belenky and N. ElAtawy et al. [22] [23] [24] [25] [26] REFERENCES [1] [2] [3] [4] “IP FlowBased Technology. AlDuwairi and M.T. The metric for DDoS attack flows could be further explored.” IEEE J. F. and therefore. 241252. Z. However.R. 567580. 1.” IEEE Trans. arbornetworks. 4. Kompella.K. Yang. 5. 13101324. vol. “A More Practical Approach for SinglePacket IP Traceback Using Packet Logging and Marking. “On IP Traceback. we can detect the attack with the information that we have accumulated so far using traditional methods.C. Stubblefield. IEEE INFOCOM. “On Scalable Attack Detection in the Network. no. Ansari. BremlerBar and H.” IEEE/ACM Trans. Perrig. vol. pp.” IEEE Trans. 9. no. 5. D. B. no. no. Shin. The work was supported in part by grants from The Australia Research Council (Project numbers DP0773264 and DP1095498). General Research Fund (GRF) (No. pp. pp. Guo. Feb. 2001. 1. 2010. 3. and CityU Applied R & D Funding (ARD(Ctr) No.424 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS. 10. Yau. S. Yuan. 22. vol. C. and K. or recently developed tools. 2. “ALPi: A DDoS Defense System for HighSpeed Networks. Moreover. e.” IEEE Trans. Feb. Location estimation of attackers with partial information. no.” Computer Networks. Masikos. the proposed model can work as an independent software module with current routing software. 24. 10. 5. 2005. 3. Yaar. 19. no. C.” Proc. pp. pp. May 2006. 2008. Leckie. Selected Areas Comm. “You Can Run.” IEEE/ACM Trans. “A DoSLimiting Network Architecture. pp. 2006. no. IEEE Int’l Conf. Ayres et al. vol. Xiang. Parallel and Distributed Computing. 15. NO. and R. and D.G. A. Networking. and O. “Defense against Spoofed IP Traffic Using HopCount Filtering. Yu and W.” IEEE Comm. Law. T. 17. Matsuda. vol. 2004. 2007. no. Peng. pp. pp.” ACM Trans. H. S. CityU 114609). 4. 23722382. Sixth Ann. and K.” IEEE Trans. then the current metric cannot discriminate it. p. Dependable and Secure Computing. 536. Future work could be carried out in the following promising directions: 1.com. Y. 1335. Networking. if the attack strength is less than seven times of the strength of nonattack flows. pp. Levy. When the attack strength is less than seven times of the normal flow packet rate. pp. vol. vol.S. Sept. 20. Networking. “Robust and Efficient Detection of DDoS Attacks for LargeScale Internet. vol. 566571. “Collaborative Detection and Filtering of Shrew DDoS Attacks Using Spectral Analysis.. IEEE INFOCOM. no. 3. the hidden Markov chain model. Gong and K.” Proc. pp. 18. 9. pp. Kim et al. 39. 7. 142153. [7] [8] [9] [10] [11] [12] [13] 2. 2008. W. 10. “Adaptive Early Packet Filtering for Protecting Firewalls against DoS Attacks. Hwang.” IEEE J. no. The proposed method deals with the packet flooding type of attacks perfectly. no. 7. Y. Feb. no. “Optimal Filtering of Source Address Prefixes: Models and Algorithms.” ACM Computing Surveys. Letters. Zouraraki. 195208. “IP Traceback with Deterministic Packet Marking. Chen and K. China. no. “Spoofing Prevention Method.” IEEE Comm. “Tracing Network Attacks to Their Sources. 15. 2003. vol. S. Jan. vol. Y. 4053. VOL... pp.” IEEE Trans. Pervasive Computing and Comm. [20] [21] ACKNOWLEDGMENTS The authors would like to express their thanks to the anonymous reviews for their insightful comments and suggestions. C. 2009.” Proc. vol. 1524. G. Yang. Lee.” Proc.
and currently. no. vol. 12. he has authored more than 300 publications in international journals. 2002.” IEEE/ACM Trans. Australia. Dec. network theory. 2001. Gao and N. [37] J. no.C. “IP Traceback: A New DenialofService Deterrent?” IEEE Security & Privacy. [35] “Lincoln Laboratory Scenario (DDoS) 1. [36] J.. Since 1997. and the MASc and PhD degrees from the Polytechnic Faculty of Mons. Computer Systems.” MIT. Letters. vol. Faculty of Science and Technology. 6. the PhD degree from the Australian National University. pp. sensor. “SinglePacket IP Traceback. [39] Z. Thomas. 13951406. He is a member of the IEEE. RMIT University. 43. in 1982 and 1984. “Information Theory Based Detection against Network Behavior Mimicking DDoS Attacks. in 2004. 115139. 12531266. He is currently the chair professor of information technology and the head of School of Information Technology. Shui Yu (M’05) received the BEng and MEng degrees from the University of Electronic Science and Technology of China in 1993 and 1999. 8and elearning. and multicast and anycast QoS routing protocols for the Internet. no. Sung et al. “Tracing Cyber Attacks from the Practical Perspective. no. no. “Accurately Measuring Denial of Service in Simulation and Testbed Experiments. He has coauthored (with W. May 2006. and the DSc degree from Deakin University.” IEEE Comm. [38] H. “Testing a Collabotative DDoS Defense in a Red/Blue Team Exercise. Networking. books/chapters. His research interests include wireless communication and networks.. 16. 2008. May/June 2003. May 2005. China. ad hoc. 123131.A.. [42] A. [33] T.0. Victoria. Mirkovic et al. and the master’s degree in engineering and the PhD degree from the Royal Melbourne Institute of Technology (RMIT). 2. vol. WiMAX. and PSTN networks for realtime multimedia communications such as VoIP.0. Belgium. IEEE INFOCOM. network security. and D. 2008.” Proc. He is a member of the IEEE.computer. 2006). in 2002. Australia. pp. Doss. 57. he has been involved in more than 50 international conferences as general chair. China. He is a member of the ACM and a senior member of the IEEE. 318321. Switzerland. 10981112. pp. steering committee chair. Dependable and Secure Computing. pp. Moore et al. 24. Cover and J. vol. Canberra. Yaar. His current research interests include data management and routing in mobile ad hoc and wireless sensor networks. 8195. “Inferring Internet DenialofService Activity. 6. all in computer science. respectively.mit. [43] M. His research interests include network security.au/noc. Department of Computer Science.C. 2005. session chair. publication chair. He is currently a lecturer in the School of Information Technology. Melbourne. vol. respectively. 2010. Computers. 1. Dec. Australia. Zhou) the book Distributed Network Systems (Springer. Apr. Aug. Apr. Elements of Information Theory. Song. pp. network security. Wanlei Zhou received the BEng and MEng degrees from Harbin Institute of Technology. [40] A. and refereed international conference proceedings. For more information on this or any other computing topic. 2008.. and PC member. and IBM Research. Snoeren et al. pp. [34] D.YU ET AL.” Proc. 8. and the PhD degree from Deakin University. Changsha. vol. Melbourne. Kowloon.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 425 [32] S.” IEEE Trans. He has been listed in the Marquis Who’s Who (VIP) in the World (20002008). distributed systems. ACM SIGCOMM. WileyInterscience. and R. Robin Doss received the bachelor’s degree in electronics and communication engineering from the University of Madras.edu/mission/communications/ist/corpora/ideval/ data/2000/LLS_DDOS_1. 2007.ll. Australia. Perrig. “HashBased IP Traceback. Deakin University. please visit our Digital Library at www. and information theory. Networking. no. Yu. India. and a keynote speaker for various prestigious international conferences. in 2003. Australia.. bioinformatics. He has served as the editor and guest editor of several international journals and has been a program committee (PC) chair. Australia. respectively. 2. mobile computing. he was awarded HK $22 millions from the Innovation and Technology Fund of the Hong Kong SAR Government for two projects with the intentions of designing and implementing cyber crossplatform secure communications to integrate the Internet with 3G. which contains extensive research materials and implementation examples. 3. He is currently a professor of computer science.June 2009. 2431. 4. [41] A. He was a recipient of the Best Paper Award at a prestigious IEEE conference. 6. W. His research interests include distributed and parallel systems. Deakin University. A. a PC member. . Zhou. WiFi. He has published more than 200 papers in refereed international journals and refereed international conferences proceedings. Snoeren et al. Victoria. [44] http://www.html. Melbourne. vol. 10. PC chair. Letters. in 1991. in 2000 and 2004. vol.org/publications/dlib. http:// www. is a lecturer in computing. “FIT: Fast Internet Traceback. City University of Hong Kong (CityU). and next generation networks. pp. “LargeScale IP Traceback in HighSpeed Internet: Practical Techniques and InformationTheoretic Foundation. 5. Mirkovic et al.” ACM Trans. In 2006 and 2008. Weijia Jia (SM’08) received the BSc and MSc degrees from the Central South University. He has held professional appointments with Ericsson Australia. 2010. 721734. .” IEEE Comm.” IEEE/ACM Trans.M.” IEEE Trans. Ansari. Aljifri. He joined Deakin University. He is a senior member of the IEEE.deakin. no.edu. pp. In these fields. pp.. no. in 1999.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.