arxiv: 2603.06668 · v3 · submitted 2026-03-02 · 💻 cs.NI · cs.CR

Recognition: 2 theorem links

· Lean Theorem

SDN-SYN PoW: Adaptive Ingress-Aware Defense with Non-Interactive PoW Against Volumetric SYN Floods

Wenyang Jia , Jingjing Wang , Xianneng Zou , Kai Lei

Authors on Pith no claims yet

Pith reviewed 2026-05-15 16:34 UTC · model grok-4.3

classification 💻 cs.NI cs.CR

keywords SDNSYN floodProof of WorkDDoS defenseingress monitoringadaptive difficultyTCP handshake

0 comments

The pith

SDN-SYN PoW monitors per-ingress SYN pressure to raise non-interactive PoW difficulty and refines enforcement to stable source prefixes when possible.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper proposes an SDN-integrated defense that applies non-interactive proof of work at network edges to counter volumetric TCP SYN floods. The controller tracks SYN pressure at each ingress and increases difficulty on detection, narrowing the requirement to offending prefixes when sources remain stable to spare co-located legitimate clients. A conservative protocol reuses retransmissions and commits changes only after successful handshakes. Experiments on a custom testbed report restored application quality of service, 11.7 percent higher benign throughput than ingress-only methods, and under 0.8 percent transient false escalations at 2 percent loss.

Core claim

SDN-SYN PoW integrates non-interactive Proof of Work with an SDN control plane for managed edge networks. The controller monitors per-ingress SYN pressure and raises PoW difficulty when flooding is detected. If traffic mainly originates from a stable source region, enforcement is refined to the offending source prefix to reduce overhead on benign co-located clients; otherwise ingress-wide enforcement is retained under randomized or spoofed sources. A conservative Difficulty Discovery Protocol reuses TCP retransmissions and commits difficulty updates only after a successful handshake.

What carries the argument

Adaptive per-ingress PoW difficulty adjustment with optional prefix refinement, driven by SDN monitoring of SYN pressure and a conservative retransmission-based discovery protocol.

If this is right

Application QoS is restored under both concentrated and spoofed floods.
Benign client throughput rises 11.7 percent above ingress-only enforcement.
Transient false escalations remain below 0.8 percent even at 2 percent random loss.
Difficulty updates occur only after verified handshakes, limiting client disruption.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The prefix-refinement logic could be tested on real ISP traces to measure how often stable regions appear versus randomized attacks.
Integration with existing SDN rate limiters at the edge might further reduce the need for PoW on mixed traffic.
If prefix stability proves lower in production IPv6 deployments, the system would default more often to ingress-wide mode.

Load-bearing premise

That per-ingress SYN pressure can be measured accurately enough to separate floods from legitimate bursts and that source regions remain stable long enough for prefix refinement to work.

What would settle it

A distributed spoofed attack from many short-lived prefixes that either produces sustained high false escalations or fails to raise difficulty before server resources are exhausted.

Figures

Figures reproduced from arXiv: 2603.06668 by Jingjing Wang, Kai Lei, Wenyang Jia, Xianneng Zou.

**Figure 2.** Figure 2: Experimental results comparing defense mechanisms. (a) Both SYN Cookies and SDN-SYN PoW impose [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

read the original abstract

The stability of Internet services is persistently challenged by large volumetric TCP SYN floods, for which conventional defenses such as SYN Cookies preserve server state but still amplify bandwidth pressure. This paper presents SDN-SYN PoW, an ingress aware defense architecture that integrates non interactive Proof of Work with an SDN control plane for managed edge networks. The controller monitors per ingress SYN pressure and raises PoW difficulty when flooding is detected. If traffic mainly originates from a stable source region, enforcement is refined to the offending source prefix to reduce overhead on benign co located clients; otherwise, ingress wide enforcement is retained under randomized or spoofed sources. We further design a conservative Difficulty Discovery Protocol that reuses TCP retransmissions and commits difficulty updates only after a successful handshake. Experiments on a custom SDN testbed show restored application QoS under concentrated and spoofed floods, 11.7% higher benign client throughput than ingress only enforcement, and below 0.8% transient false escalations under 2% random loss.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

SDN-SYN PoW is a practical engineering synthesis of SDN monitoring, non-interactive PoW, and adaptive prefix narrowing for SYN floods, with testbed results showing modest throughput gains over ingress-only enforcement but thin validation on the detection logic.

read the letter

The main thing to know is that this paper puts together SDN per-ingress monitoring with non-interactive PoW and a conditional narrowing step to limit enforcement to stable source prefixes when traffic patterns allow. The testbed runs claim restored QoS under both concentrated and spoofed floods, plus an 11.7% lift in benign client throughput compared to ingress-only enforcement and under 0.8% transient false escalations under 2% random loss. The conservative Difficulty Discovery Protocol that ties updates to successful handshakes is a sensible safeguard against over-penalizing clients. That combination is the concrete advance, even if each piece has appeared before. The experiments give a usable data point for managed edge networks where SDN control is already in place. The numbers are presented as direct measurements rather than fitted models, which keeps the circularity burden low. The soft spot is the detection core. The abstract describes raising difficulty on per-ingress SYN pressure and refining to prefixes when sources are stable, but supplies no thresholds, window sizes, or stability criteria. Without those details it is hard to judge whether the low false-escalation figure would survive flash-crowd bursts or low-rate distributed attacks. The stress-test note on source-region stability is on target; the reported gains rest on that assumption holding. No error bars or expanded baselines are mentioned either. This paper is for engineers and researchers working on SDN defenses in controlled networks. It has enough architecture and testbed work to deserve a serious referee, though the review should focus on expanding the detection algorithm and testing it against more varied legitimate traffic patterns.

Referee Report

2 major / 2 minor

Summary. The manuscript presents SDN-SYN PoW, an SDN-based defense architecture that integrates non-interactive Proof-of-Work with per-ingress SYN-pressure monitoring. The controller adaptively raises PoW difficulty on detected floods and refines enforcement to stable source prefixes when possible; a conservative Difficulty Discovery Protocol re-uses TCP retransmissions. Testbed experiments are claimed to restore application QoS under concentrated and spoofed floods, deliver 11.7% higher benign-client throughput than ingress-only enforcement, and keep transient false escalations below 0.8% under 2% random loss.

Significance. If the experimental claims hold, the work supplies a practical, low-overhead adaptive mechanism that reduces collateral damage to benign traffic relative to static ingress enforcement while remaining compatible with existing TCP stacks. The reuse of retransmissions for difficulty negotiation is a concrete engineering contribution that could be adopted in managed edge networks.

major comments (2)

[Experimental evaluation] Experimental evaluation: the reported 11.7% throughput gain and <0.8% false-escalation rate are given without error bars, without any description of how the PoW difficulty escalation threshold or measurement window was selected, and without baselines beyond 'ingress only enforcement'. These omissions prevent verification that the numbers are robust rather than the product of post-hoc tuning.
[Detection mechanism] Detection and refinement logic: the adaptive loop depends on per-ingress SYN pressure reliably distinguishing floods from legitimate bursts and on source regions remaining stable long enough for safe prefix refinement, yet the manuscript provides no concrete threshold, stability metric, or validation against bursty legitimate traffic or low-rate distributed attacks. If either assumption fails, the claimed QoS restoration and overhead reduction do not follow.

minor comments (2)

A short comparison table in the introduction or related-work section would help readers situate SDN-SYN PoW against SYN cookies, ingress filtering, and prior SDN DDoS defenses.
The Difficulty Discovery Protocol would benefit from a formal algorithmic listing or pseudocode before its prose description.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments. We address each major point below and will revise the manuscript to strengthen the experimental reporting and detection details.

read point-by-point responses

Referee: [Experimental evaluation] Experimental evaluation: the reported 11.7% throughput gain and <0.8% false-escalation rate are given without error bars, without any description of how the PoW difficulty escalation threshold or measurement window was selected, and without baselines beyond 'ingress only enforcement'. These omissions prevent verification that the numbers are robust rather than the product of post-hoc tuning.

Authors: We agree that additional statistical details and baselines are needed to demonstrate robustness. In the revised manuscript we will report error bars from repeated testbed runs for the 11.7% throughput gain and false-escalation rate, describe the calibration process used to select the escalation threshold and measurement window, and add comparisons against SYN cookies and rate-limiting baselines. revision: yes
Referee: [Detection mechanism] Detection and refinement logic: the adaptive loop depends on per-ingress SYN pressure reliably distinguishing floods from legitimate bursts and on source regions remaining stable long enough for safe prefix refinement, yet the manuscript provides no concrete threshold, stability metric, or validation against bursty legitimate traffic or low-rate distributed attacks. If either assumption fails, the claimed QoS restoration and overhead reduction do not follow.

Authors: We will revise the manuscript to state the exact SYN-pressure threshold and source-prefix stability metric employed by the controller. We will also add targeted experiments that validate the adaptive loop under bursty legitimate traffic and low-rate distributed attacks, confirming that the QoS restoration and overhead reduction claims remain valid when these conditions are tested. revision: yes

Circularity Check

0 steps flagged

No circularity: experimental results are direct testbed measurements with no derived predictions or self-referential equations

full rationale

The paper presents an architecture for adaptive PoW enforcement in SDN and reports empirical outcomes from a custom testbed (restored QoS, 11.7% throughput gain, <0.8% false escalations). No equations, first-principles derivations, or predictions appear in the provided text. Performance figures are stated as direct measurements rather than quantities computed from parameters fitted inside the same dataset or loop. Detection logic and prefix-refinement rules are described at a high level without thresholds or closed-form relations that would make results tautological. No self-citations are invoked as load-bearing uniqueness theorems. The central claims therefore remain independent of the inputs they evaluate.

Axiom & Free-Parameter Ledger

1 free parameters · 2 axioms · 0 invented entities

The central claim rests on the ability of an SDN controller to obtain accurate per-ingress SYN counts and on the assumption that source stability can be observed quickly enough to justify prefix narrowing. No new physical entities are postulated.

free parameters (1)

PoW difficulty escalation threshold
Raised when flooding is detected; exact trigger values and ramp functions are not stated in the abstract.

axioms (2)

domain assumption SDN controller can obtain reliable per-ingress SYN arrival rates in real time
Invoked to trigger difficulty changes; required for both detection and prefix refinement logic.
domain assumption TCP retransmissions can be reused to deliver PoW challenges without breaking standard client stacks
Stated as part of the conservative Difficulty Discovery Protocol.

pith-pipeline@v0.9.0 · 5485 in / 1494 out tokens · 34427 ms · 2026-05-15T16:34:17.057941+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

The controller monitors per ingress SYN pressure and raises PoW difficulty when flooding is detected... If traffic mainly originates from a stable source region, enforcement is refined to the offending source prefix
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Expected solve time is Tconn = 2^d / H; for a desktop-class machine (H ≈ 2 × 10^8 hashes/s), d=16 costs ≈ 0.3 ms

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

OpenCLAW-Nexus: A Self-Reinforcing Trust Framework for Byzantine-Resilient Decentralized Federated Learning
cs.NI 2026-04 unverdicted novelty 5.0

OpenCLAW-Nexus uses a single discounted Beta-reputation model to unify reputation-based node selection, Rep-FedAvg aggregation, and reputation-aware BFT consensus, achieving Byzantine resilience in decentralized FL wi...

Reference graph

Works this paper leans on

26 extracted references · 26 canonical work pages · cited by 1 Pith paper

[1]

Mirai Source Code

Anna-senpai. Mirai Source Code. GitHub, Accessed: Dec. 13, 2016. [Online]. Available: https://github.com/jgamblin/Mirai-Source-Code

work page 2016
[2]

Cloudflare Radar 2024 Year in Review.Cloudflare Radar, Dec

Cloudflare. Cloudflare Radar 2024 Year in Review.Cloudflare Radar, Dec. 9, 2024. [Online]. Available: https://radar.cloudflare.com/year-in- review/2024

work page 2024
[3]

Pan and C

Y. Pan and C. Rossow. TCP Spoofing: Reliable Payload Transmission Past the Spoofed TCP Handshake. InProc. IEEE Symposium on Security and Privacy (S&P), IEEE, 2024

work page 2024
[4]

DeLaughter and K

S. DeLaughter and K. Sollins. SYN Proof-of-Work: Improving Volu- metric DoS Resilience in TCP. InProc. IEEE Symposium on Security and Privacy (SP), IEEE Computer Society, Apr. 2025, pp. 1783–1796

work page 2025
[5]

Dean and A

D. Dean and A. Stubblefield. Using Client Puzzles to Protect TLS. In Proc. 10th USENIX Security Symposium, 2001

work page 2001
[6]

DeLaughter

S. DeLaughter. Redistributing the Costs of Volumetric Denial-of- Service Mitigation. M.S. Thesis, Massachusetts Institute of Technology,

work page
[7]

Available: https://dspace.mit.edu/handle/1721.1/152862

work page
[8]

DeLaughter and K

S. DeLaughter and K. Sollins. Context Matters: Accurately Measuring the Efficacy of Denial-of-Service Mitigations. InProc. 15th Workshop on Cyber Security Experimentation and Test (CSET ’22), ACM, Aug. 2022, pp. 91–99

work page 2022
[9]

Dwork and M

C. Dwork and M. Naor. Pricing via Processing or Combatting Junk Mail. InAdvances in Cryptology—CRYPTO’92, LNCS, vol. 740, Springer, 1992, pp. 139–147

work page 1992
[10]

W. Eddy. TCP SYN Flooding Attacks and Common Mitigations. IETF, RFC 4987, Aug. 2007

work page 2007
[11]

W. Eddy. Transmission Control Protocol (TCP). IETF, RFC 9293, Aug. 2022

work page 2022
[12]

W. Jia, J. Wang, Z. Yan, P. Xiangli, and G. Yuan. BlockSDN: Towards a High Performance Blockchain via Software Defined Cross Networking Optimization. InProc. ICCEIC 2025, Guangzhou, China, 2025, pp. 288– 293

work page 2025
[13]

P. Hsieh. Hash Functions.A Zillion Monkeys. Available: http://www. azillionmonkeys.com/qed/hash.html

work page
[14]

Juels and J

A. Juels and J. Brainard. Client Puzzles: A Cryptographic Defense Against Connection Depletion Attacks. InProc. NDSS Symposium, 1999

work page 1999
[15]

Mirkovic, A

J. Mirkovic, A. Hussain, S. Fahmy, P. Reiher, and R. K. Thomas. Accu- rately Measuring Denial of Service in Simulation and Testbed Experi- ments.IEEE Trans. Dependable Secure Comput., vol. 6, no. 2, pp. 81–95, Apr. 2009

work page 2009
[16]

Mirkovic et al

J. Mirkovic et al. Towards User-Centric Metrics for Denial-Of-Service Measurement. InProc. ExpCS ’07, ACM, 2007

work page 2007
[17]

Moriarty, B

K. Moriarty, B. Kaliski, and A. Rusch. PKCS #5: Password-Based Cryp- tography Specification Version 2.1. RFC 8018, Jan. 2017

work page 2017
[18]

M. A. Noureddine et al. Revisiting Client Puzzles for State Exhaustion Attacks Resilience. InProc. 49th IEEE/IFIP DSN, Jun. 2019, pp. 617–629

work page 2019
[19]

J. Rüth, T. Zimmermann, K. Wolsing, and O. Hohlfeld. Digging into Browser-based Crypto-Mining. InProc. IMC, 2018

work page 2018
[20]

Scholz, S

D. Scholz, S. Gallenmüller, H. Stubbe, B. Jaber, M. Rouhi, and G. Carle. Me Love (SYN-)Cookies: SYN Flood Mitigation in Programmable Data Planes. arXiv preprint, 2020. Available: http://arxiv.org/abs/2003.03221

work page arXiv 2020
[21]

Shao et al

Z. Shao et al. AF-FDS: An Accurate, Fast, and Fine-Grained Detection Scheme for DDoS Attacks in High-Speed Networks with Asymmetric Routing.IEEE Trans. Network and Service Management, vol. 20, no. 4, pp. 4964–4981, 2023

work page 2023
[22]

W. Jia, J. Wang, Z. Yan, T. Liu, and K. Lei. LLM-Enhanced Heteroge- neous Graph Embedding Model for Multi-Task DNS Security. InProc. NPC 2025, LNCS, vol. 16305, Springer, 2026

work page 2025
[23]

Yoachimik and J

O. Yoachimik and J. Pacheco. DDoS threat report for 2024 Q1.Cloud- flare Blog, 2024. Available: https://blog.cloudflare.com/ddos-threat- report-for-2024-q1

work page 2024
[24]

Yoachimik and J

O. Yoachimik and J. Pacheco. DDoS threat report for 2023 Q4.Cloud- flare Blog, 2024. Available: https://blog.cloudflare.com/ddos-threat- report-2023-q4

work page 2023
[25]

S. Yoo, X. Chen, and J. Rexford. SmartCookie: Blocking Large-Scale SYN Floods with a Split-Proxy Defense on Programmable Data Planes. InProc. 33rd USENIX Security Symposium, 2024

work page 2024
[26]

Jia et al

W. Jia et al. BlockSDN-VC: A SDN-Based Virtual Coordinate-Enhanced Transaction Broadcast Framework for High-Performance Blockchains. InProc. NPC 2025, LNCS, vol. 16305, Springer, 2026

work page 2025