A Three-Layer Defense Mechanism Based on WEB Servers Against Distributed Denial of Service Attacks

It is widely recognized that distributed denial of service (DDoS) attacks can disrupt Web service and cause large revenue losses. However, effective defenses continue to be mostly unavailable. We design a novel DDoS security mechanism, which is a three-layer defense mechanism based on Web servers. Combining the characteristic of the traffic of Web servers and aiming at TCP/IP reference model, it utilizes the means of statistical filtering and traffic limit in the network layer, transport layer and application layer to filter the illegitimate traffic to secure the pass of the normal traffic. A majority of illegitimate traffic is filtered by the algorithm of SHCF (simplified hop count filtering) on network layer. The rest of illegitimate traffic is filtered by the algorithm of SYN proxy firewall on transmission layer. And traffic limit is used on the application layer for DDoS attacks using legitimate IP. By the collaborative defense of the three-layer mechanism, sustaining availability of Web services can be ensured under DDoS attacks. The defense mechanism is implemented and tested inside the Linux kernel. The result indicates that the three-layer defense mechanism can defend DDoS attacks effectively.