Detection And Defense Mechanism Of SYN Flood Based On Analysis Of Load And Consistency Of TCP Protocol

With the rapid development of network technology, the network gradually penetrates into all aspects of life and work, and network security issues become increasingly serious. Hack attacks have become more and more common, and DDoS attack is one of the usual convenient and effective methods to make an attack for hacks, which is one of the most destructive attacks in the Internet. Statistics show that over90%of DDoS attacks using TCP and SYN Flood attacks on the target server by using TCP’s vulnerability is a common type of DDoS. Therefore, there has practical significance for Internet security to effectively detect SYN Flood and reduce the damage caused by SYN Flood attack.First of all, the thesis makes some discussions and analyses to the existing detection and prevention methods of SYN Flood. Through the analysis of that, most of the attack tools producing packets in some parameter is consistent, such as the total length of packets, TTL, the source port, etc, based on the above characttics, this thesis put forward the analysis of the load based TCP SYN Flood detection mechanism.In addition, this thesis put forward the protocol of the consistency based defense mechanism which applys TCP protocol overtime retransmission mechanism.This mechanism based on the concept of intentionally losting packet, drop the first SYN packet from each IP address. The next SYN packet keeps TCP overtime retransmission mechanism to reach server. Because the attacker don not need to abtain server response, or abide by the overtime retransmission mechanism, the packets sent were filtered out. Conversely, because of a legitimate user protocol consistency behavior, their SYN packets reach server through filter algorithm of intentionally droping packets.This thesis combining with the above two kinds of mechanism, put forward the detection and defense mechanism of SYN Flood based on analysis of load and consistency of TCP protocol. This thesis applys windump extract and analyse packet parameters, establish packet filtering mechanism, drop the attacking packets. Through the simulation test we can know that, the mechanism based on the analyses of load distinguishes network congestion and SYN Flood attack well, with the low rate of fail and distorting, in a certain degree superior to the tradition test methods of detection rate. TCP protocol conformance based mechanism brings the little extra cost for server.