The SYN flood attack is a common attack strategy on the Internet, which tries to overload services with requests leading to a Denial-of-Service (DoS). Highly asymmetric costs for connection setup - putting the main burden on the attackee - make SYN flooding an efficient and popular DoS attack strategy. Abusing the widely used TCP as an attack vector complicates the detection of malicious traffic and its prevention utilizing naive connection blocking strategies. Modern programmable data plane devices are capable of handling traffic in the 10 Gbit/s range without overloading. We discuss how we can harness their performance to defend entire networks against SYN flood attacks. Therefore, we analyze different defense strategies, SYN authentication and SYN cookie, and discuss implementation difficulties when ported to different target data planes: software, network processors, and FPGAs. We provide prototype implementations and performance figures for all three platforms. Further, we fully disclose the artifacts leading to the experiments described in this work.

中文翻译：

---

Me Love (SYN-)Cookies：可编程数据平面中的 SYN Flood 缓解

SYN Flood 攻击是 Internet 上的一种常见攻击策略，它试图通过导致拒绝服务 (DoS) 的请求使服务过载。连接设置的高度不对称成本 - 将主要负担放在攻击者身上 - 使 SYN 泛洪成为一种有效且流行的 DoS 攻击策略。滥用广泛使用的 TCP 作为攻击向量会使恶意流量的检测及其利用幼稚的连接阻止策略进行预防变得复杂。现代可编程数据平面设备能够处理 10 Gbit/s 范围内的流量而不会过载。我们讨论了如何利用它们的性能来保护整个网络免受 SYN 洪水攻击。因此，我们分析了不同的防御策略，SYN 认证和 SYN cookie，并讨论了移植到不同目标数据平面时的实现难点：软件、网络处理器和 FPGA。我们为所有三个平台提供原型实现​​和性能数据。此外，我们充分披露了导致这项工作中描述的实验的工件。