Classification of DDoS Attacks and Flash Events using Source IP Entropy and Traffic Cluster Entropy

Abstract

Distributed Denial of Services (DDoS) attack is one of the most dangerous exploits capable of affecting an organization’s reputation and functioning. Today several tools are available to launch one with ease. It is extremely difficult to differentiate these attacks from flash events. Flash Crowds are events where plenty of legitimate requests for a common web resource come into the server. When the incoming traffic into a server exceeds the peak limit the possibility of a server crashing or hanging also increases. Due to the congestion caused by the huge amount of illegitimate traffic in DDoS attacks, the server is unable to complete the legitimate service requests and the server’s resources are overloaded with these illegitimate requests. We propose an Entropy based classification technique which differentiates legitimate flash crowds and illegitimate DDoS attack traffic.