edd: Entropy DDoS Detector

• Author: [email protected]
• Idea by [email protected] http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/2009-October/000023.html
• Thanks to ebf0 (http://www.gamelinux.org/) whose support code is good enough
• License? If U have the code U have the GPL... >:-P

Entropy H(P1) + H(P2) + ... + H(Pi) > H(P1P2..Pi) => DDOS

Pseudo code:

can segment into destport or src:port:dst:port

for each packet count set bits count packet bits sum_entropy = Entropy(packet); track window of n last packets{ increase set & total bit values if(H(window) > H(p1p2..pwin) => DDOS! }

/* calculate the simple entropy of a packet, ie

• assume all bits are equiprobable and randomly distributed
• needs work: do this with pure, positive ints?
• tresholds? markov chains? averaging?
• SIMD bitcounts?
• check this with our friend the kolmogorov */

Special:

• uses simplistic approximation of Entropy: bits set
• uses very fast implementation of bitcount (lookup table or parallel)
• counts Entropy for all packets, does not segment on port