<div>Hi Guys </div>
<div> </div>
<div>Good to hear from you.</div>
<div>I´m sending two simples codes for discussion if it can be used <br>as a part of future ddos detection engine.</div>
<div>The idea is create something to measure the traffic entropy. Most of<br>ddos attacks change (decrease) the entropy of certain traffic.</div>
<div>This is a pseudo-code to implement the idea:</div>
<div> </div>
<div>for_each_packet() {</div>
<div> case udp:<br> udp_packet[dest port]->count_bit_1_for_the_packet<br> udp_packet[dest port]->store_sddr_daddr_ports_etc<br> alfa += apply_the_algorithm_for_the_packet(udp_packet[dest port]->count_bit_1_for_the_packet)<br>
countbit1total[dest port] += udp_packet[dest port]->count_bit_1_for_the_packet</div>
<div> case tcp:<br> tcp_packet[dest port]->count_bit_1_for_the_packet<br> tcp_packet[dest port]->store_sddr_daddr_ports_etc<br> apply_the_algorithm_for_the_packet(tcp_packet[dest port]->count_bit_1_for_the_packet)<br>
countbit1total[dest port] += tcp_packet[dest port]->count_bit_1_for_the_packet<br> <br> if(we_have_200_packets_in_this_port)<br> {<br> beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest port]->countbit1total)</div>
<div> if(beta < alfa)<br> {<br> attack detected<br> }<br> else {<br> normal traffic<br> }<br> }<br>}</div>
<div><br>where</div>
<div><br> apply_the_algorithm_for_the_packet :</div>
<div>(PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);</div>
<div> and</div>
<div>apply_the_algorithm_for_the_all_packets :</div>
<div>(PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2);</div>
<div><br>I will try to explain the idea behind the algorithm...</div>
<div>Suppose we have 3 complex strings: X, Y and Z<br>So... if we can calculate the complexity for each string using some fomula C(x),</div>
<div>for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) </div>
<div>in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and concatenate them ... you will have something much more complex (C(XYZ))</div>
<div>make sense ?</div>
<div><br>This is how the algorithm works for ddos detection... measuring a normal traffic in a port number .. we will see a lot of random payloads... and during an attack.. it will change (if the attacker does not random the payload).</div>
<div>So.. for a normal traffic:</div>
<div>Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) =< All_complexity(Packet1+Packet2+PacketN)</div>
<div>and for a ddos:</div>
<div>Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) > All_complexity(Packet1+Packet2+PacketN)</div>
<div> </div>
<div> </div>
<div>/* Here we are simulating a normal traffic<br> * each bitone represents the distribution of bit 1 in each packet payload<br> * and in this case the value of bitone is random<br> *<br> */</div>
<div>#include <stdio.h><br>#include <math.h></div>
<div>float NUM_PKT_POLL = 10; // Number of packets to process in each port number<br>float PKT_BYTES = 32; // payload bytes to count the bit 1<br>float countonetotal = 0;<br>float THR = 0.3; // I will explain it later<br>
float bitone = 0;</div>
<div>int main()<br>{<br>int i;<br>float kolmogorov_total = 0;<br>float kolmogorov_packet = 0;</div>
<div>bitone = 200;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);</div>
<div>countonetotal += 200;<br>bitone = 122;</div>
<div>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>countonetotal += 122;</div>
<div>bitone = 140;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 140;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += bitone;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += bitone;</div>
<div>kolmogorov_total = (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2);</div>
<div>if(kolmogorov_total < kolmogorov_packet)<br>printf("ATTACK DETECTED\n");<br>else<br>printf("NORMAL TRAFFIC\n");<br>}</div>
<div>**************************</div>
<div> </div>
<div>********* CODE ***********</div>
<div><br>/* This is the same code ... but simulating a ddos attack<br> */</div>
<div><br>#include <stdio.h><br>#include <math.h></div>
<div>float NUM_PKT_POLL = 10;<br>float PKT_BYTES = 32;<br>float countonetotal = 0;<br>float THR = 0.3;<br>float bitone = 0;</div>
<div>int main()<br>{<br>int i;<br>float kolmogorov_total = 0;<br>float kolmogorov_packet = 0;</div>
<div>bitone = 200;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);</div>
<div>countonetotal += 200;<br>bitone = 122;</div>
<div>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>countonetotal += 122;</div>
<div>bitone = 140;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 140;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += 150;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += bitone;</div>
<div>bitone = 150;<br>kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2);<br>
countonetotal += bitone;</div>
<div>kolmogorov_total = (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2);</div>
<div>if(kolmogorov_total < kolmogorov_packet)<br>printf("ATTACK DETECTED\n");<br>else<br>printf("NORMAL TRAFFIC\n");<br>}<br><br></div>
<div class="gmail_quote">On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman <span dir="ltr"><<a href="mailto:jonkman@jonkmans.com" target="_blank">jonkman@jonkmans.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Yes! We have all the right people here. Shoot us your idea!<br><font color="#888888"><br>Matt<br></font>
<div>
<div></div>
<div><br>Jeff Dickey wrote:<br>> I think what Matt was trying to say was "hey, Breno, everybody with a<br>> technical interest in OISF is on the list; don't ask to ask - what's the<br>> code you've got?"<br>
><br>> But I'll join the flood anyway :-)<br>><br>><br>> On 12/10/09 07:21 , "Matt Jonkman" <<a href="mailto:jonkman@jonkmans.com" target="_blank">jonkman@jonkmans.com</a>> wrote:<br>><br>
>> There's a large number of people on here, we can't have everyone check<br>>> in. :)<br>>><br>>> What are you thinking about?<br>>><br>>> Matt<br>>><br>>> Breno Silva wrote:<br>
>>> Hey Shyaam!<br>>>><br>>>> Good to hear from you!<br>>>><br>>>> Lets wait more one day to hear from other guys<br>>>><br>>>> cheers<br>>>><br>>>> Breno<br>
>>><br>>>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar <<a href="mailto:shyaam@gmail.com" target="_blank">shyaam@gmail.com</a><br>>>> <mailto:<a href="mailto:shyaam@gmail.com" target="_blank">shyaam@gmail.com</a>>> wrote:<br>
>>><br>>>> Everyone is with you brotha!<br>>>><br>>>> Sent from my iPhone<br>>>><br>>>> On Oct 11, 2009, at 6:35 PM, Breno Silva <<a href="mailto:breno.silva@gmail.com" target="_blank">breno.silva@gmail.com</a><br>
>>> <mailto:<a href="mailto:breno.silva@gmail.com" target="_blank">breno.silva@gmail.com</a>>> wrote:<br>>>><br>>>>> Hey guys,<br>>>>><br>>>>> Who is in the list ?<br>
>>>><br>>>>> I have a simple code to discuss with you<br>>>>><br>>>>> Thanks<br>>>>><br>>>>> Breno<br>>>>> _______________________________________________<br>
>>>> Oisf-wg-portscan mailing list<br>>>>> <a href="mailto:Oisf-wg-portscan@openinfosecfoundation.org" target="_blank">Oisf-wg-portscan@openinfosecfoundation.org</a><br>>>> <mailto:<a href="mailto:Oisf-wg-portscan@openinfosecfoundation.org" target="_blank">Oisf-wg-portscan@openinfosecfoundation.org</a>><br>
>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan</a><br>>>> _______________________________________________<br>
>>> Oisf-wg-portscan mailing list<br>>>> <a href="mailto:Oisf-wg-portscan@openinfosecfoundation.org" target="_blank">Oisf-wg-portscan@openinfosecfoundation.org</a><br>>>> <mailto:<a href="mailto:Oisf-wg-portscan@openinfosecfoundation.org" target="_blank">Oisf-wg-portscan@openinfosecfoundation.org</a>><br>
>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan</a><br>>>><br>>>><br>
>>><br>>>> ------------------------------------------------------------------------<br>>>><br>>>> _______________________________________________<br>>>> Oisf-wg-portscan mailing list<br>
>>> <a href="mailto:Oisf-wg-portscan@openinfosecfoundation.org" target="_blank">Oisf-wg-portscan@openinfosecfoundation.org</a><br>>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan</a><br>
><br><br>--<br></div></div>
<div>--------------------------------------------<br>Matthew Jonkman<br>Emerging Threats<br>Open Information Security Foundation (OISF)<br>Phone 765-429-0398<br>Fax 312-264-0205<br><a href="http://www.emergingthreats.net/" target="_blank">http://www.emergingthreats.net</a><br>
<a href="http://www.openinformationsecurityfoundation.org/" target="_blank">http://www.openinformationsecurityfoundation.org</a><br>--------------------------------------------<br><br>PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br>
<br><br>_______________________________________________<br></div>
<div>
<div></div>
<div>Oisf-wg-portscan mailing list<br><a href="mailto:Oisf-wg-portscan@openinfosecfoundation.org" target="_blank">Oisf-wg-portscan@openinfosecfoundation.org</a><br><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan</a><br>
</div></div></blockquote></div><br>