Entropy DDoS Detection
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


edd: Entropy DDoS Detector

 * Author: comotion@users.sf.net
 * Idea by breno.silva@gmail.com
 * Thanks to ebf0 (http://www.gamelinux.org/) whose support code is good enough
 * License? If U have the code U have the GPL... >:-P

Entropy  H(P1) + H(P2) + ... + H(Pi) > H(P1P2..Pi) => DDOS

Pseudo code:
   # can segment into destport or src:port:dst:port
   for each packet
      count set bits
      count packet bits
      sum_entropy = Entropy(packet);
      track window of n last packets{
         increase set & total bit values
         if(H(window) > H(p1p2..pwin)
            => DDOS!

/* calculate the simple entropy of a packet, ie
 * assume all bits are equiprobable and randomly distributed
 * needs work: do this with pure, positive ints?
 * tresholds? markov chains? averaging?
 * SIMD bitcounts?
 * check this with our friend the kolmogorov

 - uses simplistic approximation of Entropy: bits set
 - uses very fast implementation of bitcount (lookup table or parallel)
 - counts Entropy for all packets, does not segment on port