DDoS攻击报文过滤器在Linux防火墙中的应用

Applying packet filter against DDos in linux firewall

分布式拒绝服务攻击(DDoS)是一种攻击强度大、危害严重的拒绝服务攻击。因此,对它进行检测和防御就显得非常困难。文章主要介绍了常用的几种DDoS方式,提出了一套针对IP报文TTL值分布进行检测以及对TCP报文进行验证过滤的方案,并在此基础上对传统的Linux防火墙进行了改进。实验表明经过改进之后的防火墙能够在一定程度上防御DDoS攻击,比传统的简单报文过滤方法在实时性、准确性上有很大提高。

Defense against distributed denial-of-service attacks is one of the hardest security problems on the lnternet. It is very hard to detect and defense them. This paper presents a schema based on the distribution of TTL value of IP packet and verification of TCP packet filtering,on which, we make an improvement on traditional Linux firewall. As it shown by the research result, this firewall under improvement can detect DDoS attack and is more reliable on the recognition of DDoS attack.