Discriminating DDoS Attack traffic from Flash Crowds on Internet Threat Monitors (ITM) Using Entropy variations

Internet threat Monitoring (ITM) is a monitoring system in the internet to detect, measure, characterize and track the security attacks against attack sources. Distributed Denial of Service (DDoS) is a serious threat to the internet. Attacker uses botnets to launch DDoS attack by sending malicious traffic and the goal is to exhaust ITM network resources such as utilization of network bandwidth, computing power of victim system, data structures used in victim operating systems. The attacker or the botmasters attempt to disable the ITMs by sending the traffic in flash crowd pattern. The Flash Crowd flows are from legitimate users and they are absolutely normal requests, the generated results are similar to the effect of DDoS attacks. Hence, it is important to distinguish DDoS attack flows from flash crowd flows in the internet traffic, for those who defend against DDoS attacks. Based on this, we used a discrimination algorithm based on entropy variations as a similarity metric among suspicious flows. We formulated the problem in the internet with botnets, and presented theoretical proofs for the feasibility of the proposed discrimination method.

[1]  K. V. Rao,et al.  An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic , 2012, 2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12).

[2]  A. Rama Mohan Reddy,et al.  Flooding attacks to internet threat monitors (ITM): Modeling and counter measures using botnet and honeypots , 2012, ArXiv.

[3]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[4]  Wanlei Zhou,et al.  Discriminating DDoS Flows from Flash Crowds Using Information Distance , 2009, 2009 Third International Conference on Network and System Security.

[5]  Wanlei Zhou,et al.  Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics , 2009, 2009 Third International Conference on Network and System Security.

[6]  St' Ephane Racine,et al.  Analysis of Internet Relay Chat Usage by DDoS Zombies , 2004 .

[7]  Shigeyuki Matsuda,et al.  Tracing Network Attacks to Their Sources , 2002, IEEE Internet Comput..

[8]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[9]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.

[10]  Bo Hong,et al.  Managing flash crowds on the Internet , 2003, 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems, 2003. MASCOTS 2003..

[11]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[12]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[13]  Riccardo Bettati,et al.  Localization Attacks to Internet Threat Monitors: Modeling and Countermeasures , 2010, IEEE Transactions on Computers.

[14]  Wanlei Zhou,et al.  Discriminating DDoS attack traffic from flash crowd through packet arrival patterns , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[15]  Manjusha Pandey,et al.  Distributed Denial of Service Attacks: A Review , 2014 .

[16]  K Munivara Prasad,et al.  Modeling and Counter Measures of Flooding Attacks to Internet Threat Monitors (ITM): Using Botnet and Group-Testing approach , 2011 .

[17]  Raphael C.-W. Phan,et al.  DDoS attacks traffic and Flash Crowds traffic simulation with a hardware test center platform , 2011, 2011 World Congress on Internet Security (WorldCIS-2011).

[18]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[19]  Binxing Fang,et al.  Defending Against Flash Crowds and Malicious Traffic Attacks with An Auction-Based Method , 2004, IEEE/WIC/ACM International Conference on Web Intelligence (WI'04).

[20]  A. Rama Mohan Reddy,et al.  IP Traceback for Flooding attacks on Internet Threat Monitors (ITM) Using Honeypots , 2012, ArXiv.

[21]  T Sivakumar,et al.  DDoS: Survey of Traceback Methods , 2009 .

[22]  Dimitris Gavrilis,et al.  Flash Crowd Detection Using Decoy Hyperlinks , 2007, 2007 IEEE International Conference on Networking, Sensing and Control.