Syn Cookie Principle Of Syn Flood Defenses On The Router

Posted on:2008-08-14

Degree:Master

Type:Thesis

Country:China

Candidate:Y Liu

Full Text:PDF

GTID:2208360212999962

Subject:Information security

Abstract/Summary:

PDF Full Text Request

Distributed Denial of Service (DDoS) attack is becoming one of the most severe security issues of the Internet nowadays. There are several reasons such as the existing of large number of insecure machine, the broad availability of automatic DDoS tools and the use of fake IP address make is quite difficult to defense and track DDoS attack. Currently most DDoS attack are implemented via TCP protocol and use TCP flood to achieve their intruding purpose. The research on DDoS and SYN Flood attack has already become a promising area in information security community. Some commercial companies e.g. Cisco, Huawei, etc have already developed some exclusive product. However, in order to detect and prevent DDoS thus protecting the security of the systems, we have to investigate the properties of DDoS in depth so that we can make specific proposal of solving this problem.In this thesis, we have investigated the mechanism, methodology and techniques of DDoS as well as the current defense and tracking strategy to it. Then we propose a SYN Cookie based defense proposal according to current DDoS attack. The primary goal of SYN Flood attack is sending high volume of queries to eat up the CPU and memory resources of the server and causes a breakdown. Our approach thus starts with saving resources. For those SYN queries sent from router on behalf of the client, if they are detected to be illegal, which do not response the ACK segment, we will disconnect without sending it to the server; otherwise they are active connection and will be able to connect with sever through router. Since we apply SYN Cookie theory to the router, it will not allocate excessive resources for SYN queries. Choosing Netfilter as the primary implementation framework, we leverage connection tracing module and IP Inspect functionality to get specific segment information and do the appropriate processing. The theoretic analysis and experimental simulation show that SYN Cookie based mechanism is able to prevent DDoS attack effectively and efficiently.

Keywords/Search Tags:

DDoS, SYN Cookie, Router, Netfilter Frame, SYN Flood

PDF Full Text Request

Related items

1	Implement A System For Protecting From DDoS Attacks Based On Router
2	Synflood Type Ddos Attack Detection And Defense Research
3	Research On The Prevention Of Syn Flood Attack Based On Turing Tests
4	Research On The Prevention Of SYN Flood Attack Based On Turing Tests
5	Research And Implementation Of Network Intrusion Detection And Protection Technology Based On HTTP-Flood Attack
6	The Research And Design Of SYN Flood Protection System
7	The Implement And Improvement Of SYN Cookie On The Basis Of IPv6 Protocol
8	The Improved Detection Algorithm Against The SYN Flood Type DDoS Attack
9	Based On Linux Kernel Anti-syn Flood Systems Analysis And Research
10	Research And Application Of Linux Firewall Based On Netfilter