阻斷服務是泛指駭客用攻擊程式讓正常使用者沒有辦法存取特定的服務，一般可以分為三種，一種是針對服務系統漏洞整個癱瘓掉攻擊目標，一種是利用通訊協定的弱點來使正常使用者沒有辦法存取服務，另一種則是用大量的封包流量，讓受攻擊端來不及處理而癱瘓掉，這三者中又以利用通訊協定的阻斷服務最難預防。TCP SYN Flooding是一個著名的阻斷服務攻擊法，它是利用TCP 通訊協定(three-way handshake)的弱點。現在許多知名的網站面對的是傷害更強的分散式阻斷服務攻擊。利用防火牆與入侵偵測系統只能抵禦傳統的阻斷服務攻擊，到目前為止，對於TCP SYN Flooding DDoS Attack攻擊並沒有一個完整的解決方案。本篇論文首先分析TCP SYN Flooding Attack的攻擊原理且提出一個抵禦TCP SYN Flooding攻擊的方法，這個方法藉由產生合法使用者位址的資料庫、監控在Backlog佇列裡半開啟(half-open)數量的多寡與封包過濾機制來對抗DDoS。這個機制主要的優點是它能有效的抵抗TCP SYN Flooding的攻擊，且對於合法使用者不對造成任何的延遲。另外本篇論文也分析和實驗一種應用層的阻斷服務攻擊法，在這篇論文稱之為TCP keep alive攻擊法，本篇論文提出的系統架構同樣可以解決TCP keep alive阻斷服務攻擊。

Dos means that the hacker attempts to degrade the service offered to normal end users. In general, The Dos can be separated in three main types. 1) Exploiting the loophole of system to destroy the whole System. 2) Exploiting the weakness of protocol to block normal users. 3) Using large throughput to make the server hard to service normal users’ request. Above three types, exploiting the weakness of protocol is the hardest to defense. TCP SYN flooding attack is a well-known denial of service (DoS) attack that exploits TCP three-way handshake vulnerability. Recently many famous web sites face a stronger of denial of service attack known as Distributed Denial of Service attack (DDoS). Organizations deploying security measures such as firewalls, and intrusion detection systems (IDS) could face the traditional DoS attack. There is no complete solution neither for protection from SYN Flooding DDoS attack. This paper analyzes a TCP SYN Flooding attack and presents a protection method to protect from SYN Flooding attacks launched by DoS/DDoS tool. It protects the server by generating a legal access database; monitor the backlog queue entries of server and IP filtering. The main advantages are its strong ability to defense TCP SYN Flooding attack, and minimal the delay for legal user access. We also analyze application layer Dos Attack method called TCP keep alive in this paper, and test its attack method. The protect system we proposed also can protect from this attack.

[1] Denial of Service Attacks, Cert Coordination Center
http://www.cert.org/tech_tips/denial_of_service.html
[2] M. Williams, Ebay, Amazon, Buy.com hit by attacks, IDG News Service, 02/09/00
http://www.nwfusion.com/news/2000/0209attack.html
[3] R. W. Stevens and G. R. Wright. TCP/IP Illustrated, Volume 2, The Implementation. Prentice-Hall, Englewood Cliffs, New Jersey, 1995
[4] J. Postel. RFC - 791 Internet Protocol. Information Science Institute, University of Southern California, CA, Sept. 1981.
[5] J. Postel, editor. RFC - 793 Transmission Datagram Proto-col. Information Sciences Institute, USC, CA, Sept. 1981.
[6] CERT/CC. ‘CERT Advisory CA-1999-17 Denial of Service Tools.’’ 3 March 2000.
http://www.cert.org/advisories/CA-1999-17.html
[7] CERT/CC. ‘Results of the Distributed-Systems Intruder Tools Workshop.’ 2-4 November 1999. http://www.cert.org/reports/dsit_workshop.pdf
[8] Dittrich, S. D. Dittrich, and N. Long. ‘ An analysis of the ‘Shaft’ Distributed denial of Service Tool’. 13 March 2000. http://www.sans.org/y2k/shaft.htm
[9] Dittrich, David. ‘ The DoS Project’s ‘Trinoo’ distributed denial of service attack tool’. 21 October 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis
[10] Dittrich, David. ‘ The stacheldraht’ distributed denial of service attack tool’. 31 December 1999. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
[11] Dittrich, David. ‘ The Tribe Flood Network’ distributed denial of service attack tool’. 21 October 1999. http://staff.washington.edu/dittrich/misc/ftn.analysis
[12] M. Graff. Sun Security Bulletin 00136. Mountain View, CA, Oct. 1996
[13] Computer Emergency Response Team (CERT), Carnegie Mellon University, Pittsburgh, PA. TCP SYN Flooding and IP Spoofing Attacks, Sept. 1996. CA-96:2
[14] Cisco Systems Inc. Defining Strategies to Protect Against TCP SYN Denial of Service Attacks, September 1996
[15] P. Ferguson. Network ingress filtering. Internet draft, Cisco Systems, Inc., September 1996
[16] P. Ferguson, D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Spoofing. RFC 2827 May 2000.
[17] Egress Filtering. v 0.2. GIAC Special Notice, SANS Institute Resources,
February 2000.
[18] Computer Emergency Response Team (CERT), Carnegie Mellon University, Pittsburgh, PA. IP Spoofing Attacks and Hijacked Terminal Connections, Jan. 1995. CA-95:01.
[19] C. Schulba, I. Krsul, M. Kuhn, E. Spafford, A. Sundram, D. Zamboni, ‘‘Analysis of a Denial of Service Attack on TCP’’, Proceedings of the 1997 IEEE Symposium on Security and Privacy.
[20] Frank Kargl, et. al. Protecting Web Servers from Distributed Denial of Service Attacks. May 2001.
[21] Livio Ricciulli, et. al. TCP SYN Flooding Defence,
[22] Linux Kernel
http://www.kernel.org/
[23] Loadable Kernel Module
http://www.tldp.org/HOWTO/Module-HOWTO/
[24] Netfilter & Ipteables
http://www.netfilter.org/
[25] W32.Blaster.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
[26] Ping of Death
http://compnetworking.about.com/library/glossary/bldef-pingofdeath.htm
[27] Smurf
http://www.cert.org/advisories/CA-1998-01.html