Abstract: The attack by Distributed Denial of service is one of the most grievous ploys in internet at the present time. On the platform of Windows, based on NDIS intermediate drivers a principle of defense is proposed to handle DDos attacks in this paper. Because NDIS intermediate drive is located in the rather low level of Windows network components, it can intercept all Ethernet packets, having such features as being efficient, intercepting precisely and having small expenses of systemic resources. Coordinating with such tactics as black-and-white lists and single IP linkage numbers, almost no loopholes can be taken advantage of by attackers. All of these features can be best applied to make large scale and specialized network firewalls.