Research On The Model Of Stateful Firewall For Defending SYN FLOOD

Due to that the TCP/IP protocol itself is insufficient to guarantee the security of computer network information, additional measures are widely used to protect themselves in network engineering practice. Firewall is currently one of the important and key technologies. DOS and DDOS attacks threat a lot to the security of the network and network server. As a typical attack of DOS/DDOS, using the leak of TCP/IP protocol, SYN FLOOD send large numbers of SYN date packs in a short time. If the packets match the rules of firewall, firewall state table is created to track these links, which may cause firewall's Iptables overflowed and eventually refuse new connection. The traditional solutions can only protect the security of the host, but not the firewall.Based on intensive study and analyses of the existing stateful firewall model against SYN FLOOD, combining the advantages of these models, the paper is going to design and implement the HAS (Hash-Adaptive threshold-Stateful inspection) stateful firewall model for defending SYN FLOOD. The model has good validity and instantaneity, the security of firewall itself, and steady communication.First, this paper introduces the background of the research, analyzes the necessity to defend the SYN FLOOD attacks and the current situation of stateful firewall models to defend SYN FLOOD abroad. And then, it analyzes the workflow, working mechanism of stateful firewall, and the theory of SYN FLOOD attacks, and emphasizes on the discussion of the stateful firewall model produced by CheckPoint Company. This essay lays a solid theoretical foundation for the design and implementation of the HAS model. Secondly, the paper detailedly describes the design and implementation of the HAS model, including specific algorithm, module structure, rules setting, modifying the kernel, the status function of Linux and the main implementation code modules. The implementation of HAS model is based on the Netfilter/Iptables firewall framework of Linux 2.6 kernel. HAS model consists of pretreatment module, state information management module and state inspection. As the first barrier of data process, pretreatment module untilizes the adaptive threshold algorithm to detect SYN FLOOD attacks. A simple improved algorithm is proposed in this paper, which make sure the validity of model in high intensity attacks. If attack exists, state information management module will dynamically allocate and manage the firewall rules to filter the related data packets based on the control message. What's more, the paper optimizes the packet process in firewall and uses hash table to accelerate processing speed of packets in stateful firewall. In the implementation part, by registering the processing function modules to the corresponding hooks of Netfilter, it achieves the function of pretreatment modules. Also it modifies the kernel code in order to optimize the way of searching rules.Finally, the performance test of the HAS model shows that the it could availably prevent the host from SYN FLOOD attacks and relieves the problem of firewall's iptables overflows to a certain extent. In the mean time, the model has good performance of network, which would not decline the performance of firewall. In the end, the paper summarizes the whole work and offers the prospect of the future work.