Abstract 　　In this thesis, we propose a new protection system, it can effectively resist the distributed denial-of-service (DDoS) attacks. It can improve the accuracy of judgment of the malicious attacks, and it can make the network quality more effectively. 　　In the first step, we propose the combination of the detection and routing-redirect to resist DDoS attacks. This method can effectively channelize the malicious packets. Due to the DDoS packets is features, the monitor-side can use as reference to blocked most of the malicious packets. Besides, we will use the double lines of defense to minimize the damage. In the second step, we establish a list of IP address to determine legitimate users in peacetime. When the attack occurred, it can judge normal users to avoid interference with the user of services.　　　　 　　The contributions of work are as follows. 　　(1)　In our system, we can effectively judge malicious packets to lower the error rates. 　　(2)　The establishment of the list method can reduce the time of re-analysis to avoid interference with the users. 　　We trust these mechanisms can significantly reduce attack volume. The results of our research in thesis shows that it will be much helpful to future research in the category of the DDoS defense.