Among the recent network infrastructure proliferations, distributed denial of service (DDoS) attack continues to be one of the most severe security threats. It becomes difficult to detect and demarcate the high volume of data and a huge number of users in any conventional network. The network randomness, physical attacks, and DDoS attacks leave their imprint through bandwidth profile (throughput), latency (time duration), and network traffic information (metadata). These three parameters form the crux of any detection setup. In this paper, we propose a fast, cost-efficient, open-source, and effective real-time entropy-based DDoS detector that uses entropy variations of Transmission Control Protocol-Synchronize packets as a base for attack detection. The attack traffic is self-generated through a compromised Bot-System controlled by a Command and Control Server. This way, we analyze the actual representative characteristics of the attack pattern. Our DDoS detector not only detects the attack but also sends the contextual information to a registered email ID. The attack information provides required network traffic characterization for the threshold-entropy calculations and its mathematical modelling, all that in real time. We code the whole architecture in python. It provides an optimal detection sensitivity and enhances predicting an attack with less resource utilization.
Cite this article as: B. Habib and F. Khursheed, “Real-time transmission control protocol-synchronize-based distributed denial of service detection framework using entropy variations in self-coded bot-network architecture,” Electrica, 23(2), 160-176, 2023.