TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS

TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS

ABSTRACT

Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantages—it is memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. 

Existing System:

A number of IP traceback approaches have been suggested to identify attackers [19], [20], and there are

two major methods for IP traceback, the probabilistic packet marking (PPM) [21], [22], [23], [24] and the deterministic packet marking (DPM) [25], [26], [27], [28]. Both of these strategies require routers to inject marks into individual packets. Moreover, the PPM strategy can only operate in a local range of the Internet (ISP network), where the defender has the authority to manage. However, this kind of ISP networks is generally quite small, and we cannot traceback to the attack sources located out of the ISP network. The DPM strategy requires all the Internet routers to be updated for packet marking. However, with only 25 spare bits available in as IP packet, the scalability of DPM is a huge problem [22]. Moreover, the DPM mechanism poses an extraordinary challenge on storage for packet logging for routers [29]. Therefore, it is infeasible in practice at present. Further, both PPM and DPM are vulnerable to hacking [30], which is referred to as packet pollution

Proposed System

we propose a novel mechanism for IP traceback using information theoretical parameters, and

there is no packet marking in the proposed strategy; we, therefore, can avoid the inherited shortcomings of the

packet marking mechanisms. We categorize packets that  are passing through a router into flows, which are defined by the upstream router where a packet came from, and the destination address of the packet. During nonattack periods, routers are required to observe and record entropy variations of local flows. In this paper, we use flow entropy variation or entropy variation interchangeably. Once a DDoS attack has been identified, the victim initiates the following pushback process to identify the locations of zombies: the victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then submits requests to the related immediate upstream routers. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. Once the immediate upstream routers have identified the attack flows, they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources further; this procedure is repeated in a parallel and distributed fashion until it reaches the attack source(s) or the discrimination limit between attack flows and legitimate flows is satisfied

Software & Hardware Requirements

Software Requirements

Java1.5 or More

MS-Sql Server

Hardware Requirements

  Hard disk                    :           80 GB

   RAM                          :           1 GB

  Processor                    :           Pentium