摘要
DDOS(分布式拒绝服务)是一种常见的、破坏力强的网络攻击,为了减小其对网络设备的影响,提出一种在接入控制器中基于Netfilter的防范DDOS攻击的策略。结合改良的SYN Cookie(标识握手信号的本地数据)技术,对Linux内核中的Netfilter进行二次开发,实现了针对DDOS中SYN Flood(标识握手信号的洪水攻击)方式的防火墙。测试结果表明:该方案能够有效地防止网络攻击,以较小的性能损失保证TCP(传输控制协议)服务的正常工作,并节约了成本。
Distributed Denial of Service (DDOS)is a common and destructive network attack.In order to minimize its impacts on network equipment,this paper presents a Netfilter-based strategy for preventing DDOS attacks on access controllers.Using the improved SYN Cookie technology,it executes a secondary development of Netfilter in the inner core of Linux,realizing a firewall against SYN Flood in DDOS.Test results indicate that this scheme effectively prevents network attacks,ensures the normal service of TCP with little performance loss and saves cost.
出处
《光通信研究》
北大核心
2013年第5期63-66,共4页
Study on Optical Communications
