The stability of Internet services is persistently challenged by large volumetric TCP SYN floods, for which conventional defenses such as SYN Cookies preserve server state but still amplify bandwidth pressure. This paper presents SDN-SYN PoW, an ingress aware defense architecture that integrates non interactive Proof of Work with an SDN control plane for managed edge networks. The controller monitors per ingress SYN pressure and raises PoW difficulty when flooding is detected. If traffic mainly originates from a stable source region, enforcement is refined to the offending source prefix to reduce overhead on benign co located clients; otherwise, ingress wide enforcement is retained under randomized or spoofed sources. We further design a conservative Difficulty Discovery Protocol that reuses TCP retransmissions and commits difficulty updates only after a successful handshake. Experiments on a custom SDN testbed show restored application QoS under concentrated and spoofed floods, 11.7% higher benign client throughput than ingress only enforcement, and below 0.8% transient false escalations under 2% random loss.

翻译：互联网服务的稳定性持续受到大规模TCP SYN洪泛攻击的挑战，传统防御手段（如SYN Cookie）虽能保留服务器状态，但仍会加重带宽压力。本文提出SDN-SYN PoW，一种面向托管边缘网络的入口感知防御架构，将非交互式工作量证明与SDN控制平面相结合。控制器监控每个入口的SYN压力，并在检测到洪泛时提高PoW难度。若流量主要源自稳定源区域，则对恶意源前缀实施精细化管控以减少对合法共址客户端的开销；若攻击源为随机或伪造源，则维持入口级全局管控。我们进一步设计了一种保守型难度发现协议，该协议复用TCP重传机制，仅在成功握手后提交难度更新。在定制化SDN测试床上的实验表明：在集中式与伪造源洪泛条件下，应用程序的服务质量得以恢复；与仅入口级管控相比，合法客户端吞吐量提升11.7%；在2%随机丢包场景下，瞬态误报率低于0.8%。