Deceiving Entropy Based DoS Detection

Oezcelik I., Brooks R. R.

Conference on Signal Processing, Sensor/Information Fusion, and Target Recognition XXIII, Massachusetts, United States Of America, 5 - 08 May 2014, vol.9091 identifier identifier

  • Publication Type: Conference Paper / Full Text
  • Volume: 9091
  • Doi Number: 10.1117/12.2054434
  • City: Massachusetts
  • Country: United States Of America
  • Recep Tayyip Erdoğan University Affiliated: No


Denial of Service (DoS) attacks disable network services for legitimate users. A McAfee report shows that eight out of ten Critical Infrastructure Providers (CIPs) surveyed had a significant Distributed DoS (DDoS) attack in 2010.(1) Researchers proposed many approaches for detecting these attacks in the past decade. Anomaly based DoS detection is the most common. In this approach, the detector uses statistical features; such as the entropy of incoming packet header fields like source IP addresses or protocol type. It calculates the observed statistical feature and triggers an alarm if an extreme deviation occurs. However, intrusion detection systems (IDS) using entropy based detection can be fooled by spoofing. An attacker can sniff the network to collect header field data of network packets coming from distributed nodes on the Internet and fuses them to calculate the entropy of normal background traffic. Then s/he can spoof attack packets to keep the entropy value in the expected range during the attack. In this study, we present a proof of concept entropy spoofing attack that deceives entropy based detection approaches. Our preliminary results show that spoofing attacks cause significant detection performance degradation.