Discriminating DDoS Attack traffic from Flash Crowds on Internet Threat Monitors (ITM) Using Entropy variations

Internet threat Monitoring (ITM) is a monitoring system in the internet to detect, measure, characterize and track the security attacks against attack sources. Distributed Denial of Service (DDoS) is a serious threat to the internet. Attacker uses botnets to launch DDoS attack by sending malicious traffic and the goal is to exhaust ITM network resources such as utilization of network bandwidth, computing power of victim system, data structures used in victim operating systems. The attacker or the botmasters attempt to disable the ITMs by sending the traffic in flash crowd pattern. The Flash Crowd flows are from legitimate users and they are absolutely normal requests, the generated results are similar to the effect of DDoS attacks. Hence, it is important to distinguish DDoS attack flows from flash crowd flows in the internet traffic, for those who defend against DDoS attacks. Based on this, we used a discrimination algorithm based on entropy variations as a similarity metric among suspicious flows. We formulated the problem in the internet with botnets, and presented theoretical proofs for the feasibility of the proposed discrimination method. KeywordsInternet Threat Monitors (ITM), DDoS, Flash crowd attack, Botnet, Entropy and Entropy variations. African Journal of Computing & ICT Reference Format: K.M Prasad, A.R.M. Reddy, K.V. Rao (2013). Discriminating DDoS Attack traffic from Flash Crowds on Internet Threat Monitors (ITM) Using Entropy variations. Afr J. of Comp & ICTs. Vol 6, No. 3. Pp -53-62