Synflood Type Ddos Attack Detection And Defense Research

Internet plays a more and more important part in social life. A copy of report from International Telecom Union and Organization for Economic cooperation and Development indicate that, nowadays people who use internet has exceed 1,000,000,000 all over the world. 850,000,000 of then often get in the Internet. At the same time, company, school and other department of society also can not go without Internet. Internet impacts every aspect of society. Meanwhile, the security of Internet seems more important today. Virus and worm damage the Internet, society suffer a lot from them. Distribute denial-of-service(DDoS) attack becomes the most powerful destroyer. So study and research DDoS attack is meaningful.Linux operate system has many characteristics like steady, flexibility and customization. It provide firewall function(packet filtrate, IP cheat, transparent proxy), and it cost little price. After Linux2.4 edition, there is a new firewall function called Netfilter. It has better structure with many new function in it, such as dynamic NAT, MAC filter, filter based on state and packet speed limit. Netfilter support five hook at IP layer, so we can captrue and deal with packets easily. As for so many advantages, Linux is suitable for server.Based on the two points, we research and develop a system to prevent DDoS attack under Linux2.6 edition. It has the follow characteristics:(1)Entropy real time detect moduleA good detect module is very important to the whole DDoS attack prevent system. A entropy real time detect module not only can alarm DDoS attack rapidly, but also can control mis-alarm under a low level. So it increase efficiency of DDoS attack prevent system. The experiment show the satisfactory results.(2)Black and white listThrough compare with 'good' and 'bad' IP address in history record, we can kick the 'bad' packet. Lighten the burden of next module. This module works well in the experiment. (3)Good DoS/DDoS attack prevent performanceProtocol analyze module can exactly judge and hold up DoS/DDoS attack from abnormal packet stream.(4)A SYN Flood attack prevent module based on SYN CookieOver ninety percent of DDoS attack is based on TCP protocol. Most of them use SYN Flood attack. So we can see a good SYN Flood attack prevent module plays an important part in the whole DDoS attack prevent system. This module shows excellent performance in the experiment.(5)Auto study systemThis system include two sub system. Honey pot sub system collects abnormal packet stream by side road. Data mining sub system generates defend rules. These rules can update the entropy of detect module, update black&white list and protocol analyze module.