Algorithm Research Of Defending TCP DDoS Attack And Implementation Of It On Linux

With the rapid development of the Internet in recent years,network attacks happen frequently and various kinds of attack methods appear ceaselessly.The SYN Flood.as the representation of DDoS attack method,is one of the most destructive attack methods.The SYN Flood which makes use of the insecurity of three-way handshake of the traditional TCP/IP protocol sends large number of SYN packets to internet server.Because the server receives much useless SYN packets, the normal SYN packets can not response in time. Thus how to detect the attack and reduce the damage of this attack has become the topic of network security research throughout the world at present.Aiming at this problem, the paper proposes a method which wants to effectively defend the SYN Flood attack by setting up the firewall between the client and server to filter SYN Flood attack packet effectively in the Linux environment. Making use of the self-similarity in tcp packet traffic and real-time monitor the network traffic,it can make the rapid respondence to the occurrence of SYN Flood.Different means of filtering are used in different situation for SYN packets to connect. Usually, three-way handshake protocol of the TCP protocol is adopted to set up the connection. Meanwhile, the source IP of the ACK packet is kept in the hash table of historical records for the reference when DDoS attack occurs. When the attack occurs, the host computer of being attacked should be made certain by MULTOPS scheme. A kind of mechanism based on the separation of normal SYN packets and SYN Flood packets is adopted, which is to ask for different SYN packets to connect in different ways. First, for the request to connect the normal host, the three-way handshake in the TCP is still adopted. Second, for the request to connect the host which is attacked, the source IP of the SYN packet should be extracted first and then seek in the hash table of historical records by using the IP. If it is sought, the three-way handshake in TCP is adopted for the connecting. If it is not sought. the attack intensity should be made certain further. If the attack intensity is level 0, the SYN Cookie mechanism is used to set up the connection. If the attack intensity is level 1, the SYN packet is dropped directly.