  • 學位論文

增加TCP額外選項以改進SYN Cookies之設計與實作

Design and Implementation of Enhanced SYN Cookies with Extra TCP Options

指導教授 : 李肇林


隨著網際網路的快速普及,有越來越多生活中重要的服務可藉由網路來加以存取,現今,我們的生活已與網路有著密不可分的關係。 阻絕服務(Denial of Service, DoS)攻擊是近年來網路上常見的攻擊方式,它是利用TCP three-way handshake的弱點來進行攻擊,其目的是為了阻斷合法的使用者存取網路上的服務。阻絕服務攻擊已造成許多企業巨額的財務損失,形成網路安全上重大的威脅。 Linux的核心中包含著防禦阻絕服務攻擊的工具-SYN Cookies,但卻缺乏了額外的TCP options。因此,我們提出了一個更符合標準協定的模型,提供了更多的TCP options,期望能達到兼具安全與效率的目的。




As the Internet’s popularity grows rapidly, an increasing number of critical services are using the Internet for daily operation. Today we can’t live without the Internet. Denial of Service (DoS) attack that exploits TCP three-way handshake is extremely common in today’s networks. The goal of a DoS attack is to prevent legitimate users from using the Internet services. Many organizations have suffered huge financial loss as a result of a DoS attack. It is a big threat to the Internet security. There is a tool, SYN Cookies, for defending against DoS attacks in the Linux kernel but it lacks additional TCP options. So we propose a more standardized model which supports more TCP options. We hope the system will not only offer security but also efficiency.


Denial of Service SYN Cookies


[2] POSTEL, J., “ RFC 793-Transmission Control Protocol,” University of Southern California, Information Sciences Institute, Marina del Rey, September, 1981
[17] POSTEL, J., “ RFC 791-Internet Protocol,” University of Southern California, Information Sciences Institute, Marina del Rey, September, 1981
[18] POSTEL, J., “ RFC 879-TCP Maximum Segment Size and Related Topics,” University of Southern California, Information Sciences Institute, Marina del Rey, November, 1983
[1] Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, “Internet Denial of Service:Attack and Defense Mechanisms,” Prentice Hall PTR, January, 2005
[3] Mariusz Burdach, “Hardening the TCP / IP stack to SYN attacks,” http://www.securityfocus.com/infocus/1729
