| Defense against DDoS (distributed denial-of-service)attacks is one of the hardest security problems on the Internet. Attacker usually send too many requests for service to engross the resouce on the server, and server can not provide service for real request because of overloading. This kind of attack always control many computers distributed on the internet to attack the server. Endacious IP and Flooding attack mode is also used in the attack. So it is very hard to detect and defend DDoS attack. netfilter is an excellent firewall framework that has plain structure to extend conveniently adopted during the Linux kernel 2.4 and subsequent versions. This paper introduces how to realize a firewall based on netfilter to defend DDoS attack.At first, we introduce the definition of network security and the sort of firewall. Then we analyze the Linux kernel to figure out the packet travel process, and study the netfilter framework and iptables to known implement functions of Linux firewall. We do some research on the principle of DDoS attack and TCP/IP protocol, especially pay attention the principle and defending strategy of SYN food attack. Using the original algorithm, we implement a firewall based on netfiler to defend DDoS attack.The firewall program is working as a model. Because it is processed in the Linux kernel network protocol stack, the firewall use little system resource and have a high working efficiency. Pure Linux kernel firewall has little use in practice, so we introduce how to combine the kernel model program and the Web application program, which is developed by JSP. That makes the firewall an integrated firewall system, accurately speaking it become a firewall production with real use.After a lot of test in real network enviroment and data analysis, it is proved that the firewall we desigend can defend many kinds of DDoS attack, and it has a high working efficiency. |
PDF Full Text Request