A Spoofed Denial of Service (DoS) System is described that analyzes a level of entropy in distributions of source and destination IP address aggregate flow share, for IP traffic traversing one or more links. A source IP address aggregate entropy time series and a destination IP address aggregate entropy time series are derived and then adaptive thresholding is applied to each time series to identify upper and lower entropy thresholds for current measurements. Given current traffic traversing the set of monitored links, current source and destination entropy values are computed on a near real-time basis. If the entropy of the current distribution of destination IP address aggregates flow share falls below the destination entropy time series’ identified lower entropy threshold, a possible Denial of Service attack may be declared. If, in addition, the decline in entropy in the destination entropy time series is accompanied by a rise in the entropy of the current distribution of source IP address aggregates flow share and the current source entropy is greater than the source entropy time series’ identified upper entropy threshold, a Spoofed Denial of Service attack may be declared. We document an application of this approach to identifying Spoofed Denial of Service attacks on Peering Links monitored by the AT&T Common IP Backbone Tier 1 ISP.

Willa Ehrlich:

 Willa Ehrlich is currently a Senior Security Analyst in the AT&T Security Center of  Excellence where she has developed algorithms for detecting worm propagations, Denial of  Service events, source spoofing and dynamically characterizing Internet hosts' traffic  profiles. She is currently working with Dr. David Hoeflin and Dr. Danielle Liu on developing an algorithm for applying link analysis and multivariate techniques to detecting e-mail spamming machines. Dr. Ehrlich received her PhD in Psychology from University of Minnesota in 1974. She was an Instructor at Brown University, Department of Psychiatry and Human prior to joining  Bell Laboratories in 1983.  She was a Distinguished Member of Technical Staff at Bell Laboratories and Technology Consultant at AT&T Labs where she evaluated systems’ functionality, reliability, performance and scalability.

Dr. Ehrlich has presented her work on internet security, testing and software reliability engineering at workshops, international software engineering conferences, and to Bell Labs/AT&T Labs technical staff members. She has authored/co-authored over 20 scientific publications.

Danielle Liu:

 Danielle Liu received her Ph.D. in Industrial Engineering at University of Arizona in 1993. She was a visiting professor at Department of Electrical Engineering at Case Western Reserve University for one year before joining Bell labs in 1994. Danielle has worked on various projects in AT&T including Internet traffic characterization, IP QoS, WiMAX and IP security. She is currently working on email SPAM detection and network capacity planning. Dr. Liu is the author of over 20 papers on queueing theory and applications, network traffic modeling and engineering, and IP security. Dr. Liu is a member of IEEE. She also serves as an editor for the journal of Queueing Systems: Theory and Applications.

Kenichi Futamura:

Kenichi Futamura received M.S. degrees in Mathematics (1994) and Statistics (1994) and a Ph.D. in Operations Research (1996) at Stanford University. Since joining AT&T Labs in 1995, he has investigated various areas including credit risk management, performance analysis, network grooming, access optimization, and internet security.  His recent security efforts include developing several intrusion detection tools for the AT&T Internet Protect platform,including WARD, a worm detection tool. Currently, he is a Principal Technical Staff Member, working on anomaly detection, intrusion correlation, and capacity planning.