Adaptive Intent-Aware PoW Mechanism in SDN for Multi-Domain SYN Flood Mitigation
It addresses the problem of volumetric SYN flood attacks for network edge security in SD-WAN deployments, offering an adaptive defense that minimizes impact on legitimate traffic.
The paper proposes SDN-SYN PoW, a defense against TCP SYN floods that combines non-interactive Proof-of-Work with SDN control to dynamically adjust PoW difficulty based on global traffic sensing. Experiments show it provides superior protection with negligible overhead for legitimate clients.
The stability of Internet services is persistently challenged by the escalating scale of volumetric TCP SYN floods, as conventional defenses like SYN Cookies fail by exacerbating bandwidth depletion under modern attacks. This paper introduces SDN-SYN PoW, a novel defense architecture that synergizes non-interactive Proof-of-Work with a Software-Defined Networking (SDN) control plane, an approach particularly effective for securing the network edge in modern SD-WAN deployments. The core innovation is its ability to perform global network sensing; the SDN controller monitors real-time traffic to dynamically adjust PoW difficulty, transforming the defense from a static mechanism into an intelligent, adaptive system that surgically applies computational costs only to anomalous sources. Through rigorous experiments on a custom-built testbed, we demonstrate that SDN-SYN PoW provides substantially superior protection and, critically, that the PoW overhead remains negligible for legitimate clients, ensuring compatibility even with low-power devices.