隨著網際網路的快速普及，有越來越多生活中重要的服務可藉由網路來加以存取，現今，我們的生活已與網路有著密不可分的關係。
阻絕服務(Denial of Service, DoS)攻擊是近年來網路上常見的攻擊方式，它是利用TCP three-way handshake的弱點來進行攻擊，其目的是為了阻斷合法的使用者存取網路上的服務。阻絕服務攻擊已造成許多企業巨額的財務損失，形成網路安全上重大的威脅。
Linux的核心中包含著防禦阻絕服務攻擊的工具－SYN Cookies，但卻缺乏了額外的TCP options。因此，我們提出了一個更符合標準協定的模型，提供了更多的TCP options，期望能達到兼具安全與效率的目的。

As the Internet’s popularity grows rapidly, an increasing number of critical services are using the Internet for daily operation. Today we can’t live without the Internet.
Denial of Service (DoS) attack that exploits TCP three-way handshake is extremely common in today’s networks. The goal of a DoS attack is to prevent legitimate users from using the Internet services. Many organizations have suffered huge financial loss as a result of a DoS attack. It is a big threat to the Internet security.
There is a tool, SYN Cookies, for defending against DoS attacks in the Linux kernel but it lacks additional TCP options. So we propose a more standardized model which supports more TCP options. We hope the system will not only offer security but also efficiency.

1. 緒論……1
1.1 研究動機 ……1
1.2 本文架構 ……1
2. 阻絕服務攻擊 ……3
2.1 阻絕服務攻擊的攻擊方式 ……3
2.1.1 Vulnerability attack ……3
2.1.2 Flooding attack ……4
2.1.3 Vulnerability attack與Flooding attack的比較 ……4
2.2 阻絕服務攻擊的主要特性 ……4
2.3 阻絕服務攻擊所帶來的威脅 ……5
3. 背景 ……6
3.1 Internet Protocol (IP) ……6
3.2 Transmission Control Protocol (TCP) ……7
3.2.1 Maximum Segment Size (MSS) ……7
3.2.2 TCP Header ……8
3.2.3 Three-Way Handshake ……11
3.3 Backlog Queue ……12
3.4 SYN Flood Attack ……13
4. 相關研究 ……14
4.1 調整系統設定 ……14
4.2 IP Traceback ……16
4.3 Ingress / Egress Filtering ……16
4.4 Random Drop ……18
5. SYN Cookies ……19
5.1 SYN Cookies的運作原理 ……19
5.2 SYN Cookies的優缺點 ……20
6. 系統實作 ……22
6.1 TCP options的選擇 ……22
6.1.1 Selective Acknowledgment (SACK) ……22
6.1.2 Timestamps ……23
6.1.3 Window Scale ……23
6.2 系統設計 ……24
6.3 系統流程 ……25
6.3.1 產生ISN ……25
6.3.2 檢驗ISN ……31
7. 系統測試與效能分析 ……37
7.1 模擬測試 ……37
7.1.1 Large MSS vs. Small MSS ……37
7.1.2 Large Window vs. Small Window ……39
7.1.3 SACK On vs. SACK Off ……41
7.2 系統測試 ……43
7.2.1 功能測試 ……44
7.2.2 效能測試 ……47
8. 結論與未來發展 ……50
參考文獻 ……51

[1] Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, “Internet Denial of Service：Attack and Defense Mechanisms,” Prentice Hall PTR, January, 2005
[2] POSTEL, J., “ RFC 793-Transmission Control Protocol,” University of Southern California, Information Sciences Institute, Marina del Rey, September, 1981
[3] Mariusz Burdach, “Hardening the TCP / IP stack to SYN attacks,” http://www.securityfocus.com/infocus/1729
[4] Bao-Tung Wang, Henning Schulzrinne, “A DoS-Resistant IP Traceback Approach,” IRT, Columbia University, 2003
[5] “Help Defeat Denial of Service Attacks：Step-by-Step,” http://www.sans.org/dosstep/index.php
[6] P. Ferguson, D. Senie, “RFC 2267-Network Ingress Filtering：Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” January, 1998
[7] David Borman, “SYN / RST cookies,” http://tcp-impl.grc.nasa.gov/tcp-impl/list/archive/0519.html
[8] D.J. Bernstein, “SYN Cookies, ” http://cr.yp.to/syncookies.html
[9] V. Jacobson, R. Braden, D. Borman, “RFC 1323-TCP Extensions for High Performance,” May, 1992
[10] V. Jacobson, R. Braden, “RFC 1072-TCP Extensions for Long-Delay Paths,” October, 1998
[11] M. Mathis, J. Mahdavi, S. Floyd, A. Romanow, “RFC 2018-TCP Selective Acknowledgment Options,” October, 1996
[12] “The Network Simulator-ns2,” http://www.isi.edu/nsnam/ns
[13] “SNORT.ORG,” http://www.snort.org
[14] “the Public Netperf Homepage,” http://www.netperf.org/netperf/NetperfPage.html
[15] “Denial of Service Attacks,” http://www.cert.org/tech_tips/denial_of_service.html
[16] Steve Gibson, “DRDos,” http://grc.com/dos/drdos.htm
[17] POSTEL, J., “ RFC 791-Internet Protocol,” University of Southern California, Information Sciences Institute, Marina del Rey, September, 1981
[18] POSTEL, J., “ RFC 879-TCP Maximum Segment Size and Related Topics,” University of Southern California, Information Sciences Institute, Marina del Rey, November, 1983
[19] “TCP OPTION NUMBERS,” http://www.iana.org/assignments/tcp-parameters
[20] “Socket Programming,” http://www-personal.umich.edu/~moenglan/sockets.html