| As an important branch of network security, initiative defense firewall technologies attract more and more attention. At present, there are many types of firewall based on kinds of operation systems, which take on passive defense technologies, such as character matching, manual updating, flow control, access control, and so on. But they have many drawbacks to protect Denial of Service attack. So, in this thesis we introduce a system for initiatively protecting from Denial of Service attacks based on Linux.At first, we introduces essential knowledge about network security and problems about TCP/IP, then analyzes Linux 2.6 kernel, abstract important data structure and data stream, and introduces implement functions of Linux kernel. We study the technique of SYN flood attacks, and analyze the drawbacks of algorithms at present. Based on these, we design and implement a bottom system for initiatively protecting from Denial of Service attacks based on Linux. In the system we implement the proxy handshake function of agent service program in relay firewall through a handshake diversion module, which starts up along with the flow detecting function. On one hand the handshake diversion module work at the network entry part in operation system so that it reduces the consumption of system resources and increase work efficiency; on the other hand, it does not start up the handshake diversion module without attacks, as a result it avoid the time delay arose by agent service program.Finally, we tests on this defense system in real network entironment, the test result show the system we implement can meet the requirement and protect against Denial of Service attacks effectively. |
PDF Full Text Request