SDN-SYN PoW: Adaptive Ingress-Aware Defense with Non-Interactive PoW Against Volumetric SYN Floods

TL;DR

SDN-SYN PoW is an adaptive, ingress-aware defense mechanism against volumetric SYN floods that leverages non-interactive Proof of Work and SDN control to improve resilience and reduce overhead.

Contribution

It introduces a novel SDN-based architecture with adaptive PoW enforcement and a conservative difficulty discovery protocol for effective SYN flood mitigation.

Findings

Restores application QoS under concentrated and spoofed floods.

Achieves 11.7% higher benign client throughput compared to ingress-only enforcement.

Maintains below 0.8% transient false escalations under 2% random loss.

Abstract

The stability of Internet services is persistently challenged by large volumetric TCP SYN floods, for which conventional defenses such as SYN Cookies preserve server state but still amplify bandwidth pressure. This paper presents SDN-SYN PoW, an ingress aware defense architecture that integrates non interactive Proof of Work with an SDN control plane for managed edge networks. The controller monitors per ingress SYN pressure and raises PoW difficulty when flooding is detected. If traffic mainly originates from a stable source region, enforcement is refined to the offending source prefix to reduce overhead on benign co located clients; otherwise, ingress wide enforcement is retained under randomized or spoofed sources. We further design a conservative Difficulty Discovery Protocol that reuses TCP retransmissions and commits difficulty updates only after a successful handshake. Experiments on a custom SDN testbed show restored application QoS under concentrated and spoofed floods, 11.7% higher benign client throughput than ingress only enforcement, and below 0.8% transient false escalations under 2% random loss.