Because of the insecurity of the tcp three-handshake,The TCP/IP protocol,which is the broadest network connection protocol at present,has the connatural limitation.With the rapid development in latter years,network security problems happen frequently.As a consequence,various kinds of attack methods appear ceaselessly.The SYN Flood ,as the representation of DDos attack method,is a newly developed attack method of huge destroying power.The SYN Flood which make use of the connatural limitation of TCP/IP network protocol behave oneself with mighty destruction power and is diffcultly defended.It gives the huge threat to the safeness, integrality and availability of Internet.How to detect and reduce the damage of the SYN Flood attack method gives rise of the extensive focus and becomes the topic of the network security research for now.The SYN COOKIE mechanism bases on the improvement on the traditonal TCP/IP network protocol.Because of the improvement based on the protocol foundation,It makes the aggressive action to defend and reduce the damage of SYN Flood attach method.But because of the complexity of making and verifing the COOKIE and the degradation of the TCP connect reliability,The SYN COOKIE mechanism give large discount when facing the broadscale SYN Flood attack.Aim at this problem,this paper propose a kind of method which is based the separarion of the tcp packets and the SYN COOKIE mechanism.Making use of the self-similarity in tcp packet traffic and Real-time monitor the network traffic on LIBPCAP,It can make the rapid respondence to the occurrence of SYN Flood.And then it make use of the SYN COOKIE mechanism to vertify the legality of the network packets and extract the source IP address information from the legal tcp packets.According to the advantage of HASH table in the rapid search and the characterist of network packet traffic(if a packet from one IP address visited recently,we can beleive that another packet from this IP address will visit again),this paper optimize the traditional IP-HASH table algorithm.The handle accelerate the search to ip address by the method of dynamicupdate to the hash collision chain.The chief characterist of the defend SYN Flood system is the legal packet statistic and feedback to the system accroding to the SYN COOKIE mechanism,it make the system filter out the legal packet rapidlier.Then it can avoid the disadvantage of vertifying any SYN ,ACK packet in the normal way.At last the test declare that the defend system improve the host’s ability to defending the SYN Flood attack at the equal condition.