Abstract: This paper proposes a two-phase model using roaming honeypot to prevent DDoS attacks due to the deficiency of present detection algorithms.In the first phase，in order to detect the attacks earlier and evoke the next phase，a simple and efficient statistical model is made in the probing stage of DDoS attacks.Then in the second phase，a set of effective detection characteristics is automatically chosen，using rank sum test，to compute distances from barycenter，which is able to differentiate between legal and illegal flows and prepare for roaming the legitimate flows timely.The experimental results show the effectiveness of the model in detecting and responding DDoS attacks.

Key words: roaming honeypot, DDoS attacks, rank sum test, defense model

摘要： 针对当前DDoS防御方法的不足，提出了一种基于漫游蜜罐的DDoS两阶段防御模型。该模型在第一阶段根据DDoS攻击的初期特征，建立简单高效的统计预警模型，并触发下一阶段防御；在第二阶段，应用秩和检验法自动选取检测特征，根据到重心的距离甄别合法与非法流，并对合法流进行漫游。实验结果表明，该模型能较早发现攻击，检测精度高，响应及时。

关键词: 漫游蜜罐, DDoS攻击, 秩和检验, 防御模型