-
Notifications
You must be signed in to change notification settings - Fork 9
/
README
38 lines (31 loc) · 1.14 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
edd: Entropy DDoS Detector
* Author: comotion@users.sf.net
* Idea by breno.silva@gmail.com
http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/2009-October/000023.html
* Thanks to ebf0 (http://www.gamelinux.org/) whose support code is good enough
* License? If U have the code U have the GPL... >:-P
Entropy H(P1) + H(P2) + ... + H(Pi) > H(P1P2..Pi) => DDOS
Pseudo code:
# can segment into destport or src:port:dst:port
for each packet
count set bits
count packet bits
sum_entropy = Entropy(packet);
track window of n last packets{
increase set & total bit values
if(H(window) > H(p1p2..pwin)
=> DDOS!
}
/* calculate the simple entropy of a packet, ie
* assume all bits are equiprobable and randomly distributed
*
* needs work: do this with pure, positive ints?
* tresholds? markov chains? averaging?
* SIMD bitcounts?
*
* check this with our friend the kolmogorov
*/
Special:
- uses simplistic approximation of Entropy: bits set
- uses very fast implementation of bitcount (lookup table or parallel)
- counts Entropy for all packets, does not segment on port