近年來許多的網路攻擊突顯出網際網路上諸多的弱點,其中造成損害最大的可謂為分散式阻斷服務(DDoS),對於許多既存的防禦方法來說分散式的攻擊很難去防止。隨著網際網路的普及,在網路上愈來愈容易找到含有弱點的主機,有心的攻擊者可利用這些主機的弱點,來攻擊其它特定的網路主機,造成一般正常的使用者無法使用該主機的服務。 由於分散式阻斷服務有著壅塞和連續的特性,因此常常會因路由器的負載過重而造成封包無法正常傳遞。大多數的防禦機制都很難在壅塞的網路上做通訊,更遑論在發生攻擊時,再來做防禦。有鑑於此,本文提出分散式阻斷服務下之過載保護機制,可在攻擊發生時迅速且確實的將攻擊封包加以分流,並予以阻擋流量過大的來源,並將路由器的負載降低,以提供其它正常使用者的封包得以順利傳遞,並可配合其它的異常流量偵測演算法加強防禦的效果。 我們藉由建立實體的測試網路來實驗在受到分散式阻斷服務攻擊時,本文所提的方法之成效。實驗結果證明採用這套方法後可以在受到攻擊時能有效的減輕攻擊所造成的影響。 Many attacks on the internet reveal much vulnerability in recent years; causing the largest damage among them we called DDoS. For much existent defense strategies, the DDoS is hard to prevent. With the popularity of the internet, it is more and more easily to find vulnerable server; some intent attacker will use these weakness to attack the particular server that the service can’t be available to the legitimate user . Due to DDoS has characteristic of congestion and continuity, so that the packet can’t be forwarded normally because of router-overloading. Most defense mechanism can’t communicate through the congested network; it is unnecessary to say that if attacks occur, other protection mechanism will work. In view of this, this paper proposed the overload protection mechanism under DDoS that it can bypass the attacking packet quickly and precisely also defend large source and decrease loading of router when attacks occur in order to transmit packet fluently for other legitimate user. Moreover, it can work with other defense mechanism to enhance the performance of protection mechanism. We use the physical topology to simulate the performance of our protection mechanism under DDoS attack. The result of our experiment evidenced that overload protection mechanism is practical and decreases the influence effectively.