计算机科学

计算机科学 ›› 2021, Vol. 48 ›› Issue (10): 278-285.doi: 10.11896/jsjkx.210400296

• 信息安全 • 上一篇    下一篇

TopoObfu:一种对抗网络侦察的网络拓扑混淆机制

刘亚群, 邢长友, 高雅卓, 张国敏   

  1. 陆军工程大学指挥控制工程学院 南京210007
  • 收稿日期:2021-04-28 修回日期:2021-05-29 出版日期:2021-10-15 发布日期:2021-10-18
  • 通讯作者: 邢长友(changyouxing@126.com)
  • 作者简介:1049178231@qq.com

TopoObfu:A Network Topology Obfuscation Mechanism to Defense Network Reconnaissance

LIU Ya-qun, XING Chang-you, GAO Ya-zhuo, ZHANG Guo-min   

  1. College of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210007,China
  • Received:2021-04-28 Revised:2021-05-29 Online:2021-10-15 Published:2021-10-18
  • About author:LIU Ya-qun,born in 1996,postgra-duate.His main research interests include software defined network and cyberspace security.
    XING Chang-you,born in 1982,Ph.D,associate professor.His main research interests include software defined network and network measurement.

PDF (PC)

656

摘要: 链路洪泛等典型网络攻击需要在拓扑侦察的基础上针对网络中的关键链路开展攻击行为,具有较强的破坏性和隐蔽性。为了有效抵御这类攻击,提出了一种对抗网络侦察的拓扑混淆机制TopoObfu。TopoObfu能够根据网络拓扑混淆的需求,在真实网络中添加虚拟链路,并通过修改探测分组的转发规则使攻击者获得虚假的拓扑探测结果,隐藏网络中的关键链路。为了便于实现,TopoObfu将虚假拓扑映射为SDN交换机的分组处理流表项,并支持在仅部分节点为SDN交换机的混合网络中部署。基于几种典型真实网络拓扑的仿真分析结果表明,TopoObfu能够从链路重要性、网络结构熵、路径相似度等方面有效提升攻击者进行关键链路分析的难度,并在SDN交换机流表数量、混淆拓扑生成时间等方面具有较高的实现效率,可以减小关键链路被攻击的概率。

关键词: 关键链路, 链路洪泛攻击, 拓扑混淆, 网络侦察

Abstract: Some typical network attacks,such as link-flooding attack,need to be carried out on critical links based on topology reconnaissance,which has strong destructiveness and stealthiness.In order to defense these attacks effectively,TopoObfu,a topology obfuscation mechanism against network reconnaissance,is proposed.TopoObfu can add virtual links to the real network according to the requirements of network topology obfuscation,and provide attacker with fake topology by modifying the forwar-ding rules of probing packets,and hide critical links in the network.To facilitate the implementation,TopoObfu maps the fake topology to the flow table entries used by SDN switches for packet processing,and can be deployed in the hybrid network where only part of the nodes are SDN switches.The simulation analysis based on several typical real network topologies shows that TopoObfu can effectively improve the difficulty of critical links analysis launched by attackers in terms of link importance,network structure entropy,path similarity and so on,and has high implementation efficiency in terms of the number of flow table entries in SDN switches,the generated time of fake topology,and can reduce the probability of critical links being attacked.

Key words: Critical links, Link-flooding attack, Network reconnaissance, Topology obfuscation

中图分类号: 

  • TP393
[1]DOULIGERIS C,MITROKOTSA A.DDoS attacks and defense mechanisms:classification and state-of-the-art[J].Computer Networks,2004,44(5):643-666.
[2]国家互联网应急中心.2020年上半年我国互联网网络安全监测数据分析报告[EB/OL].(2020-09-26)[2021-05-18].https://www.cert.org.cn/publish/main/46/2020/20200926085042652505447/20200926085042652505447_html.
[3]KANG M S,LEE S B,GLIGOR V D.The crossfire attack[C]//2013 IEEE symposium on security and privacy.IEEE,2013:127-141.
[4]STUDER A,PERRIG A.The coremelt attack[C]//European Symposium on Research in Computer Security.Berlin:Springer,2009:37-52.
[5]BRIGHT P.Can a ddos break the internet? Sure…Just not all of it[EB/OL].(2013-04-02)[2021-05-18].http://arstechnica.com/security/2013/04/can-a-ddos-break-the-internet-sure-just-not-all-of-it/.
[6]BARABÁSI A L.Scale-free networks:a decade and beyond[J].Science,2009,325(5939):412-413.
[7]MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[8]WANG J,WEN R,LI J,et al.Detecting and mitigating target link-flooding attacks using sdn[J].IEEE Transactions on Dependable and Secure Computing,2018,16(6):944-956.
[9]WANG L,LI Q,JIANG Y,et al.Woodpecker:Detecting andmitigating link-flooding attacks via SDN[J].Computer Networks,2018,147:1-13.
[10]TRASSARE S T,BEVERLY R,ALDERSON D.A techniquefor network topology deception[C]//MILCOM 2013-2013 IEEE Military Communications Conference.IEEE,2013:1795-1800.
[11]KIM J,SHIN S.Software-defined HoneyNet:Towards mitigating link flooding attacks[C]//2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).IEEE,2017:99-100.
[12]BARABÁSI A L,ALBERT R.Emergence of scaling in random networks[J].Science,1999,286(5439):509-512.
[13]WANG Q,XIAO F,ZHOU M,et al.Linkbait:active link obfuscation to thwart link-flooding attacks[J].arXiv:1703.09521,2017.
[14]AYDEGER A,SAPUTRO N,AKKAYA K.Utilizing NFV for Effective Moving Target Defense against Link Flooding Reconnaissance Attacks[C]//2018 IEEE Military Communications Conference(MILCOM),New York.IEEE,2018:946-951.
[15]MEIER R,TSANKOV P,LENDERS V,et al.NetHide:Secure and practical network topology obfuscation[C]//27th USENIX Security Symposium (USENIX Security 18).2018:693-709.
[16]KERNEN T.Traceroute[EB/OL].[2021-05-18].http://www.traceroute.org/.
[17]NETWORKX D.Networkx[EB/OL].[2021-05-18].https://networkx.org/.
[18]Welcome to RYU the Network Operating System(NOS)[EB/OL].[2021-05-18].https://ryu.readthedocs.io/en/latest/index.html.
[19]2021 Mininet Project Contributors.Mininet[EB/OL].[2021-05-18].http://mininet.org/.
[20]A LINUX FOUNDATION COLLABORATIVE PROJECT.OpenvSwitch[EB/OL].[2021-05-18].http://www.openvswitch.org/.
[21]Nicira Extension Structures[EB/OL].[2021-05-18].https://ryu.readthedocs.io/en/latest/nicira_ext_ref.html.
[22]THE UNIVERSITY OF ADELAIDE.The internet topologyzoo[EB/OL].(2013-04-16) [2021-05-18].http://topology-zoo.org/.
[23]COATES M,CASTRO R,NOWAK R,et al.Maximum likeli-hood network topology identification from edge-based unicast measurements[J].ACM SIGMETRICS Performance Evaluation Review,2002,30(1):11-20.
[24]BOSSHART P,DALY D,GIBB G,et al.P4:Programming protocol-independent packet processors[J].ACM SIGCOMM Computer Communication Review,2014,44(3):87-95.
[1] 李少辉, 张国敏, 宋丽华, 王秀磊.
基于不完全信息博弈的反指纹识别分析
Incomplete Information Game Theoretic Analysis to Defend Fingerprinting
计算机科学, 2021, 48(8): 291-299. https://doi.org/10.11896/jsjkx.210100148
[2] 赵金龙, 张国敏, 邢长友, 宋丽华, 宗祎本.
一种对抗网络侦察的自适应欺骗防御机制
Self-adaptive Deception Defense Mechanism Against Network Reconnaissance
计算机科学, 2020, 47(12): 304-310. https://doi.org/10.11896/jsjkx.200900126
[3] 申普兵,赵占东,宫强兵.
网络作战能力评估指标体系构建问题的研究
Research on Evaluation of Computer Network Operation Based on Capacity Factor
计算机科学, 2016, 43(Z6): 505-507. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.119
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发