Firewall Filtering DDoS Attack Detection Technology Research

In recent years, the harm of DDoS attacks is more and more obvious, DDoS attacks directly on the economic, military, homeland security and other aspects of the tremendous impact. As an important protective barrier in the modern Internet, firewall plays an important role in protecting the security of the network. In the face of the increasing trend of Internet attacks, the firewall is not only to play an important role in the protection, but also should be in time to deal with the attack traffic, so that it is the least damage. In a variety of DDoS attack type, SYN Flood attack is still the highest frequency of attacks, this paper mainly for the firewall side how to quickly detect SYN Flood attack and attack the system to filter attack traffic expansion.In this paper, combined with the characteristics of normal traffic on the time sequence and the SYN Flood attack, this paper proposes a real-time method to monitor the dynamic threshold K-NN-LRI. The method using array K simplifies the calculation steps of the original K-NN algorithm, the computational complexity is greatly reduced, but also improved the dynamic K-NN cumulative distance outlier detection algorithm due to traffic plummeted to false alarm generation and improve the correct rate. The method combines the number of flow table space, the number of SYN packets, the number of RST packets, the number of FIN packets and other features using linear regression method to determine whether there is a Flood SYN attack. Finally, simulation experiments are carried out in MATLAB. The results show that the method has higher correct rate, attack detection rate and lower false alarm rate.When the Flood SYN attack is detected, the active queue management mechanism is proposed in this paper, which is based on the multi threshold SYN-BLUE algorithm. The algorithm first according to the TCP friendly formula, calculate the packet loss rate and flow connection number and flow characteristic of fair window values of quadratic relationship exists, and according to the characteristics of the SYN Flood attack, set different threshold,according to the different threshold, take different intensity of anti SYN Flood attack. Finally,under the LAN environment, a simulation experiment is carried out. The experimental data show that when the DDoS attack. This method can take the initiative to improve packet loss rate and improve the throughput of the firewall system, safeguard the legitimate users of the service quality.