Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SDN-SYN PoW: Intent-Aware Adaptive SDN Defense with PoW Against multi-domain SYN Floods

Wenyang Jia

TL;DR

Through rigorous experiments on a custom-built testbed, it is demonstrated that SDN-SYN PoW provides substantially superior protection and, critically, that the PoW overhead remains negligible for legitimate clients, ensuring compatibility even with low-power devices.

Abstract

The stability of Internet services is persistently challenged by the escalating scale of volumetric TCP SYN floods, as conventional defenses like SYN Cookies fail by exacerbating bandwidth depletion under modern attacks. This paper introduces SDN-SYN PoW, a novel defense architecture that synergizes non-interactive Proof-of-Work with a Software-Defined Networking (SDN) control plane, an approach particularly effective for securing the network edge in modern SD-WAN deployments. The core innovation is its ability to perform global network sensing; the SDN controller monitors real-time traffic to dynamically adjust PoW difficulty, transforming the defense from a static mechanism into an intelligent, adaptive system that surgically applies computational costs only to anomalous sources. Through rigorous experiments on a custom-built testbed, we demonstrate that SDN-SYN PoW provides substantially superior protection and, critically, that the PoW overhead remains negligible for legitimate clients, ensuring compatibility even with low-power devices.

SDN-SYN PoW: Intent-Aware Adaptive SDN Defense with PoW Against multi-domain SYN Floods

TL;DR

Through rigorous experiments on a custom-built testbed, it is demonstrated that SDN-SYN PoW provides substantially superior protection and, critically, that the PoW overhead remains negligible for legitimate clients, ensuring compatibility even with low-power devices.

Abstract

The stability of Internet services is persistently challenged by the escalating scale of volumetric TCP SYN floods, as conventional defenses like SYN Cookies fail by exacerbating bandwidth depletion under modern attacks. This paper introduces SDN-SYN PoW, a novel defense architecture that synergizes non-interactive Proof-of-Work with a Software-Defined Networking (SDN) control plane, an approach particularly effective for securing the network edge in modern SD-WAN deployments. The core innovation is its ability to perform global network sensing; the SDN controller monitors real-time traffic to dynamically adjust PoW difficulty, transforming the defense from a static mechanism into an intelligent, adaptive system that surgically applies computational costs only to anomalous sources. Through rigorous experiments on a custom-built testbed, we demonstrate that SDN-SYN PoW provides substantially superior protection and, critically, that the PoW overhead remains negligible for legitimate clients, ensuring compatibility even with low-power devices.
Paper Structure (35 sections, 3 equations, 6 figures, 1 table, 1 algorithm)

This paper contains 35 sections, 3 equations, 6 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. The TCP SYN Flood Attack
  4. The Limitations of SYN Cookies
  5. Proof-of-Work as a Mitigation Strategy
  6. Software-Defined Networking (SDN)
  7. SDN-SYN PoW Design and Implementation
  8. Design Overview
  9. PoW Implementation Details
  10. Nonce Encoding
  11. Hash Function Selection
  12. Hash Inputs
  13. The SDN Controller: Dynamic and Targeted Defense
  14. Real-time Threat Detection
  15. Dynamic Threshold Management
  16. ...and 20 more sections

Figures (6)

  • Figure 1: Experimental topology (clients, attackers, SDN-enabled routers).
  • Figure 2: Baseline client performance by location. The measurements establish the uncontested Quality of Service (QoS) benchmark, showing minor performance variations attributable to network topology. Clients co-located with the server (LAN A) exhibit slightly higher transaction rates than those in remote LANs (B and C).
  • Figure 3: During peacetime, both SYN Cookies and SDN-SYN PoW impose negligible overhead; the small cost of SDN-SYN PoW reflects its globally enforced, low-difficulty default policy.
  • Figure 4: Our custom C floods cause complete DoS for co-located clients (LAN C) and severe degradation elsewhere, confirming SYN floods act mainly via bandwidth exhaustion.
  • Figure 5: SYN Cookies worsen congestion in LANs A and B during large spoofed SYN floods by producing one SYN–ACK per SYN, effectively doubling load.
  • ...and 1 more figures