Me Love (SYN-)Cookies: SYN Flood Mitigation in Programmable Data Planes

Abstract: The SYN flood attack is a common attack strategy on the Internet, which tries to overload services with requests leading to a Denial-of-Service (DoS). Highly asymmetric costs for connection setup - putting the main burden on the attackee - make SYN flooding an efficient and popular DoS attack strategy. Abusing the widely used TCP as an attack vector complicates the detection of malicious traffic and its prevention utilizing naive connection blocking strategies. Modern programmable data plane devices are capable of handling traffic in the 10 Gbit/s range without overloading. We discuss how we can harness their performance to defend entire networks against SYN flood attacks. Therefore, we analyze different defense strategies, SYN authentication and SYN cookie, and discuss implementation difficulties when ported to different target data planes: software, network processors, and FPGAs. We provide prototype implementations and performance figures for all three platforms. Further, we fully disclose the artifacts leading to the experiments described in this work.