Ddos Attacks From Flash Crowd Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Web services have become an essential part of the Internet and the world. Internet is a worldwide network that consists of millions of private, public, academic, business, and government networks and carries an extensive range of information resources and services which lead to the huge amount of traffic exchanged over the Internet every day. This excessive popularity is also the cause that led to some troubles. Among them, Flash crowds and Distributed Denial of Service (DDoS) attacks are the two major events .Web services needs stability and security from these two events. So far, there are some methods that can discriminate DDoS attack from flash crowd and find the source of the attacker in network traffic, however it still remains unclear to find the source of DDoS attack in network traffic if Flash crowd event is also present because these two anomalies are very much alike and attacker can easily mimic the malicious flow into legitimate traffic patterns. In this paper we use entropy variation between attack flows and legitimate flows that discriminate DDoS attack from Flash crowd and trace the source of the attacker .Entropy variation is a information theoretic concept which is a measure changes of randomness of flows at a router for a given time interval. The proposed strategy has several advantages like memory non intensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns.

Keywords: DDoS attacks, IP Traceback, Flash Crowd, Entropy Variation, Flow


Internet is vulnerable and an open architecture affected to various forms of network attacks, in which the most prominent attack is Distributed Denial of service attack (DDoS). DDoS attacks are a crucial problem in internet. DDoS attack is a malicious attempt to make a computer resource unavailable to its intended users. DDoS attacks degrade or completely disrupt services to legitimate users by eating up communication and memory resources of the victim through high volume of packets. Like DDoS attack Flash crowd is also a network anomaly but it is unintentional one because in this event all requests to a server are from legitimate users who actually want to access data on server. For example when any new version of famous software released or when any cricket and soccer league take place which requires continuous life streaming, the exchanged traffic in any news site will be much higher than normal and number of requests or legitimate traffic to a server become much larger than usual circumstances so we can say that server undergoes a flash crowd but in case of DDoS attack it occurs intentionally malicious purpose.

DDoS attack share some characteristics with flash crowd but it is not a flash crowd. DDoS attacks and flash events can both overload the server's Internet connection and result in partial or complete failure. It is tough challenge to differentiate these two anomalies as they are very much alike. Because of vulnerability of the Internet, attackers can easily mix their traffic patterns in legitimate network traffic or hide attack flow into legitimate flows. Attack sources pretend to be legitimate users and pump a large volume of malicious packets that flood the target victim. This problem beat defense system and they cannot detect the attack sources in time. So it is necessary to discriminate legitimate flows from malicious flows. Like Discrimination, detection of DDoS attack sources is also a tough challenge due to memory less feature of the internet routing mechanism.

In this paper our contribution is detect DDoS attack sources in large scale network with thousand of zombies if flash crowd is also present in the network. For this we will use novel IP traceback method that is based on entropy variation between legitimate traffic and DDoS attack traffic. IP traceback is a name given to any method that finding the actual source of attackers. But the vulnerability of the original design of the internet we may not be able to find the actual source of attackers in time or sometimes defense system detect the legitimate user as a attacker sources. The key question is here why we choose entropy for this purpose. Entropy can find the similarity between legitimate flows and attack flows. It captures in a single value, the distributional changes in traffic patterns and observing the time series of entropy on multiple features exposes unusual traffic behavior and it also reduces the workload for computing purpose. We will use four traffic features to calculate the entropy: source address, destination address, source port, destination port. We categorize packets that are passing through every router in the network into flows. A flow is defined by the upstream router where a packet came from and the destination address of the packet. Each router in the network observes and records the entropy variations of each flow during non attack and flash crowd periods. Once a DDoS attack has been identified, the victim initiates the pushback process to detect the source of attacker. The victim first identifies which of its upstream routers are in the attack tree and the tree from where legitimate traffic pattern is coming, based on the flow entropy variations it has accumulated, and then submits requests to the related immediate upstream routers. The upstream routers identify entropy variations that they have monitored. Once the immediate upstream routers have identified the attack flows and legitimate flow, they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources further; this procedure is repeated until it reaches the attack sources.

System Model

To describe our discriminate and detection mechanism, we use Fig. 1 as a sample network with DDoS attacks. In a DDoS attack scenario, as shown in Fig. 1, we can see that there are three flows f1, f2 and f3.Flow f3 is a legitimate flows as there is not any attacker in lan5.Flows f1 and f3 are the combination of attack flows and legitimate flows. The volume of some flows increases significantly during DDoS attack cases. Routers R2, R3 and R4 that are in attack path will sense the dramatic changes in DDoS attack cases. But Routers R4 and R2 will also sense the dramatic change in nonattack cases because in addition to DDoS attack, one more network anomaly is present in the network that is flash crowd. However Routers which are not in attack path will not be able to sense the variations like R1 and R5.Therefore, once the victim realizes an attack path and flash crowd path, based on its entropy and routers recorded entropy, it starts the pushback procedure to detect the sources of DDoS attacker.

Victim starts the pushback procedure in a parallel and distributed fashion. Based on its entropy variations the victim knows that attackers are somewhere behind router R4 and no attackers are behind router R5 .Then victim sends the request to its upstream router R4.Now router R4 knows that there are two group of attackers based on its own recorded entropy. One group is behind the link to Lan0 and another group is behind the link to Lan4. Then the traceback requests are further delivered to the edge routers R1 and R2, respectively. Router R1 ,based on its information about entropy variation, can infer that attackers are located in Lan0.Similerly router R2 can also conclude that some attackers are in Lan4.This pushback process will be continue until we locate the sources of attacker.


Figure 1: Sample network of DDoS attack

Related work:

A number of IP traceback methods were proposed to detect the sources of attack. Generally previous traceback method was based on packet marking and packet logging. Packet marking methods include PPM (Probabilistic Packet marking) and DPM (Deterministic Packet Marking). S. Savage [1] proposed packet marking mechanism that is called PPM. In this approach, routers mark packets with partial path information by probability on the local router during packet forwarding. After that Dean[7] proposed another packet marking mechanism that is called Deterministic packet marking (DPM).In this strategy Every ingress router writes its own IP address into the outgoing IP packet. The major problem of both the packet marking strategy is that they can't increase the packet size to avoid additional downstream fragmentation. Because of this there is a probability of increasing network traffic. Moreover, PPM strategy can only operate in a local range of the internet (ISP network).In this kind of ISP network we cannot detect attack sources that are reside in out of the ISP network.DPM strategy may require very large amount of marks for packet reconstruction. Both strategies require modification and updation of routing protocols. Rather than this, false positive alarms are also produces in both the mechanism. It means that both strategies do not have any proper solution to discriminate legitimate flows and malicious flows.

System Transaction:

Here we will categorize each packet that is passing through each router into flow. As discussed above a flow is distance between upstream router where the packet came from and the target where the packet wants to go it means destination of the packet. We will use entropy to calculate the measure changes of legitimate flows and malicious flows at each router for a given time interval during non attack, attack, and flash crowd periods.

Entropy is an information theoretic concept that captures the degree of dispersal or concentration of distribution of flows. we will take an histogram X = { ni ,i=1,………,N} that flow i occurs ni times in the sample entropy .Let S = be the total number of flows in the histogram. Then Sample entropy H(X) is

H(X) =

Where pi = ni / S

Detection Methodology:

The detection mechanism performs in terms of scalability that can be handled, the storage space that need on routers, detection time and the operation workload. This mechanism comprises of two algorithms to detect the sources of attacks.

Local flow monitoring algorithm

This algorithm monitors the flow of each and every router. With the help of this algorithm router recorded the entire flow rate hath come either from client or attacker during non attack .attack and flash crowd period


total_flow = 21;

total_traffic = 0;

for(i=1; i<=total_flow; i++) {

traffic[i] = 0;


Observe the traffic at each router during the interval of 10s from 0-150s

Store the traffic in traffic[i]

Compute total Traffic

for(i=1; i<=total_flow; i++) {

total_traffic = traffic[i] + total_traffic;


Store routerID, start_time, end_time, flow_ID, each_flow_traffic total_traffic

Identification of flow and its traffic is done at each router

Threshold Setting: Once we found the entropy rate of each flow we will select the Threshold value. Selecting threshold value is necessary to detect the real sources of attack. It is difficult to select the accurate threshold value for differentiating between normal activity and abnormal activity in network traffic. Selecting inaccurate value may raise excessive false alarm if the value is too low or if it is too high, it can cause the legitimate traffic being considered as normal traffic.

IP Traceback Algorithm

Once a DDoS attack and Flash crowd has been identified on the basis of total traffic of each flow that we calculated and threshold value that we select and if the thresh hold value is greater than the entropy H(X),then the victim starts the IP Tracback algorithm


total_flow = 21;

for(i=1; i<=total_flow; i++) {

f[i] = 0;


Observe the traffic at each router

Time during which packet loss occurred is noted (44.7632s)

Packet loss period = 30 - 50s

Traffic is measured during the packet loss period

Traffic = 16489packets

Maximum traffic is selected as threshold for attack detection

Threshold = 16500

for (i=1; i<=total_flow; i++) {

If (f [i] > Threshold)

Attacker flow ID = i


Find source of i

AttackerID = source (i)

Performance Evaluation:

Performance of the Network is tested using Network Simulator2 and its performance is evaluated in terms of the following metrics.

Traceback Time

This time is required to detect the sources of the DDOS attack. Traceback is possible within 20 seconds (approximately) in a high volume of network traffic.

Packet Delivery Ratio based on entropy variation

PDR is the proportion to the total amount of packets reached the receiver and amount of packet sent by source. If the amount of malicious node increases, PDR decreases. The higher mobility of nodes causes PDR to decrease.

PDR (%) =

Comparison of PDR:

We will compare Packet Delivery Ratio during under attack, non-attack and flash crowd cases.

We can see from the figure1 PDR under attack is too low if it is compare with PDR_flash crowd and PDR non-attack cases. When DDoS attack happened in the network, malicious node sending more unwanted packets (malicious flow) to the victim so that normal node's packets(legitimate flow) unable to reached to the victim.

Similarly if we compare PDR during non attack and flash crowd periods, PDR in flash crowd events is little bit low from PDR in non-attack cases. Because flash crowd event creates the more traffic in the network without intentionally purpose. This increasing traffic discontinues data packets to the victim.

C:\Users\Pragya\Desktop\graph\comapr pdr.png

Throughput based on entropy variation

Throughput is the average rate of message successfully delivered to the destination over a communication channel. Throughput is usually measured in bits per second and sometimes in data packets data.

Throughput (bits/s) =

We evaluate the Performance based on the above metrics is in non attack cases, the periods when flash crowd occur and DDoS attack Cases under the DDOS attack.

Comparison of Throughput:

Like PDR, we will also compare throughput during three cases.

When malicious activity (DDoS Attack) happened in the network, some packets of the legitimate node are reached to victim but not in appropriate time, so that throughput decreases.

Similarly in non-attack event, all packets are reached to victim, but in flash crowd event very less packets are drop in the network due to the congestion create in the network, so that throughput is not equal but nearly same in both cases.



In this paper we presented the effective and efficient detection mechanism, based on entropy variation, which is fundamentally different form existing packet marking and logging techniques. The proposed method need no marking on packets therefore, we can avoid the requirement that is needed in existing packet marking and logging like victim collects large number of packets to identify the attack paths (packet marking) and we have to reserved a significant amount of resources at intermediate routers (packet logging) This model can work as an independent software module means no need of updating routing software. It also reduces the problem of differentiating the flash crowd that is simply legitimate flow and DDoS attack. From this mechanism, we proved that combine the router entropy and the entropy rate of flows at each router we can distinguish flash crowd from DDoS attack (malicious flow),so that there is no probably of rising false alarm and defense system has no problem to detecting the actual sources of attack in time.