SmartCookie: Distributed In-Network SYN Flooding Mitigation, Sophia Yoo, G2 (3938706)
SYN-flooding attacks, a pervasive class of DDoS attacks, target the TCP three-way handshake to exhaust server resources, leading to poor performance for legitimate clients. In this work, we present SmartCookie, a distributed defense system for service providers to protect their servers from large-scale SYN flooding attacks. SmartCookie pushes the front line of defense to the network edge, placing an in-network SYN cookie proxy upstream of the servers and closer to the clients. Our design capitalizes on the distinctive capabilities of high-speed programmable switches by offloading some defense responsibilities to lightweight modules running within standard Linux kernels. Unlike traditional SYN cookie proxy defenses located at the server, SmartCookie is a split proxy with a novel division of labor between a high-speed, in-network switch and a lightweight server-side component. Our design protects downstream network bandwidth (by blocking attack traffic early in the path), scales to protect many servers at a time, and gracefully handles asymmetric routing. We implement SmartCookie with P4 (on Intel Tofino switches) and eBPF (on Linux servers), showing two orders of magnitude improvement over the standard Linux kernel's defense running on an 8-core CPU, and blocking attack rates of 136.9 million packets per second with no packet loss.