The Research Of The Defense Strategy Of Denial Of Service Attacks Linux-based

TCP/IP protocol is the most widely used network interconnection agreement, but the insecurity of TCP three-step handshake, making Internet with congenital deficiencies. With the Internet has been the rapid development in recent years, network security incidents occur frequently and the variety of means of attack appear ceaselessly. SYN Flooding as the representative to the distributed denial of service attacks and a new distribution of refraction of denial of service attacks, in recent years, are the highly destructive means. They make use of the congenital defects of the TCP/IP, showing a strong destructive power and difficult to defend, therefore, they give the huge threat to Internet security, integrity, availability and so on. How to defend and reduce the damage of DoS attacks gives rise of the extensive focus and becomes the topic of the network security research for now.In this paper, the defense strategy of denial of service attack was designed, mainly to the following aspects:(1) To analysing and studying the principle and method of several representative denial of service attacks in the current network security technology and analysing the respective merits and weaknesses;(2) To analysing the implement means of current mainstream network layer firewall technology, and studying the advantages and disadvantages of the respective work principle and defensive performance of the defensive methods of three commonly used firewalls defend against SYN Flooding attack in the current (SYN Gateway, passive SYN Gateway and SYN relay), and then brought forward the improved defensive algorithm of SYN Flooding attack by combined the advantages and disadvantages of above several defensive algorithms;(3) Based on the netfilter framework in the Linux operating system, by setting a parameter N to control the the quantity of semi-connected in the TCB, when the quantity of semi-connected reached the N in the TCB, then automatically open SYN Flooding attack defensive module, and in the defensive modules also set up a time parameter T to control the air-link's connecting time and then implement the new SYN Flooding attack defensive module. Working in the existing firewall tools iptables, the efficiency, to defend against SYN Flooding attack, will achieve optimal results.Finally, the test data to prove that, by loading the defensive module, is to greatly improving the defensive efficiency and strengthening the network security.