[2025.08.13] SYN Proof-of-Work: Improving Volumetric DoS Resilience in TCP

Abstract:

This paper presents and evaluates SYN PoW, a novel approach to mitigating TCP SYN flooding attacks using miniature proofs-of-work. SYN Floods have been a common threat on the Internet for decades, and have increased dramatically in both scale and frequency in recent years. Currently, SYN Cookies are widely deployed as a mitigation against this threat, but as we demonstrate they scale poorly with the volume of attack and can be detrimental to performance. SYN PoW plays a similar role, but with several key advantages: (1) it protects bandwidth by dropping malicious SYNs without sending SYN-ACKs in response; (2) it facilitates in-network verification, enabling middleboxes to detect and drop malicious packets before they reach their target; (3) it shifts the primary cost burden of mitigation from attack victims to attackers themselves; and (4) it protects against spoofing attacks without requiring source address validation. We explain how proofs-ofwork can be added to SYN packets in a way that complies with
the current TCP standard, and demonstrate how SYN PoW outperforms SYN Cookies under high-volume SYN floods in controlled testbed experiments.

Paper (IEEE SP 2025) : https://ieeexplore.ieee.org/abstract/document/11023284