| In recent years, network has developed very rapidly. With the widely use of internet, network intrusion and attack, especially Denial of Service has become a more and more serious and influencing attack style. Denial of Service makes the victims(host, server, router and all other network device)can not supply or accept normal services, which uses reasonable service request to engross overmuch service resource, which makes the server overloaded and cannot respond to any other requests. With the evolvement of technology, new means of DoS has emerged like DDoS. In order to assure the security of network systems, people brought forward a series of policies on the detection and recovery of DoS.At first, this paper presents DoS's definition,classification,history and developing trend, including several DoS attack tools, and emphasizes on the analysis of typical attack approaches. Secondly this paper presents and contrasts actual main approaches on accounting DoS. On the base of which, this paper brings forward a DDoS attack packet filter model.Subsequently, the paper describes how to design and implements the filter. It first deeply researches into the time-window packet filtering mechanism on accounting DDoS flooding attack and verifies the feasibility. Then we explain the distributed packet detection and filtering mechanism. In addition to the schemes above, we presented a multi-handshaking SYN cookie improving model as a contrast to the traditional SYN cookie mechanism. At the same time, this paper researches and compares several defense schemes against DDoS on many fields. By analyzing and comparing these schemes' property, we bring forward an all-around scheme. Based on which, we design and implement a packet filtering system.At last, we design several performance test cases. The test cases show that, with the filter security mechanism being added, the system's security has increased very much with some system performance. By optimizing the system, we can improve the performance cost. |
PDF Full Text Request