Computer Science ›› 2021, Vol. 48 ›› Issue (10): 278-285.doi: 10.11896/jsjkx.210400296

• Information Security • Previous Articles     Next Articles

TopoObfu:A Network Topology Obfuscation Mechanism to Defense Network Reconnaissance

LIU Ya-qun, XING Chang-you, GAO Ya-zhuo, ZHANG Guo-min   

  1. College of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210007,China
  • Received:2021-04-28 Revised:2021-05-29 Online:2021-10-15 Published:2021-10-18
  • About author:LIU Ya-qun,born in 1996,postgra-duate.His main research interests include software defined network and cyberspace security.
    XING Chang-you,born in 1982,Ph.D,associate professor.His main research interests include software defined network and network measurement.

Abstract: Some typical network attacks,such as link-flooding attack,need to be carried out on critical links based on topology reconnaissance,which has strong destructiveness and stealthiness.In order to defense these attacks effectively,TopoObfu,a topology obfuscation mechanism against network reconnaissance,is proposed.TopoObfu can add virtual links to the real network according to the requirements of network topology obfuscation,and provide attacker with fake topology by modifying the forwar-ding rules of probing packets,and hide critical links in the network.To facilitate the implementation,TopoObfu maps the fake topology to the flow table entries used by SDN switches for packet processing,and can be deployed in the hybrid network where only part of the nodes are SDN switches.The simulation analysis based on several typical real network topologies shows that TopoObfu can effectively improve the difficulty of critical links analysis launched by attackers in terms of link importance,network structure entropy,path similarity and so on,and has high implementation efficiency in terms of the number of flow table entries in SDN switches,the generated time of fake topology,and can reduce the probability of critical links being attacked.

Key words: Critical links, Link-flooding attack, Network reconnaissance, Topology obfuscation

CLC Number: 

  • TP393
[1]DOULIGERIS C,MITROKOTSA A.DDoS attacks and defense mechanisms:classification and state-of-the-art[J].Computer Networks,2004,44(5):643-666.
[3]KANG M S,LEE S B,GLIGOR V D.The crossfire attack[C]//2013 IEEE symposium on security and privacy.IEEE,2013:127-141.
[4]STUDER A,PERRIG A.The coremelt attack[C]//European Symposium on Research in Computer Security.Berlin:Springer,2009:37-52.
[5]BRIGHT P.Can a ddos break the internet? Sure…Just not all of it[EB/OL].(2013-04-02)[2021-05-18].
[6]BARABÁSI A L.Scale-free networks:a decade and beyond[J].Science,2009,325(5939):412-413.
[7]MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[8]WANG J,WEN R,LI J,et al.Detecting and mitigating target link-flooding attacks using sdn[J].IEEE Transactions on Dependable and Secure Computing,2018,16(6):944-956.
[9]WANG L,LI Q,JIANG Y,et al.Woodpecker:Detecting andmitigating link-flooding attacks via SDN[J].Computer Networks,2018,147:1-13.
[10]TRASSARE S T,BEVERLY R,ALDERSON D.A techniquefor network topology deception[C]//MILCOM 2013-2013 IEEE Military Communications Conference.IEEE,2013:1795-1800.
[11]KIM J,SHIN S.Software-defined HoneyNet:Towards mitigating link flooding attacks[C]//2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).IEEE,2017:99-100.
[12]BARABÁSI A L,ALBERT R.Emergence of scaling in random networks[J].Science,1999,286(5439):509-512.
[13]WANG Q,XIAO F,ZHOU M,et al.Linkbait:active link obfuscation to thwart link-flooding attacks[J].arXiv:1703.09521,2017.
[14]AYDEGER A,SAPUTRO N,AKKAYA K.Utilizing NFV for Effective Moving Target Defense against Link Flooding Reconnaissance Attacks[C]//2018 IEEE Military Communications Conference(MILCOM),New York.IEEE,2018:946-951.
[15]MEIER R,TSANKOV P,LENDERS V,et al.NetHide:Secure and practical network topology obfuscation[C]//27th USENIX Security Symposium (USENIX Security 18).2018:693-709.
[16]KERNEN T.Traceroute[EB/OL].[2021-05-18].
[17]NETWORKX D.Networkx[EB/OL].[2021-05-18].
[18]Welcome to RYU the Network Operating System(NOS)[EB/OL].[2021-05-18].
[19]2021 Mininet Project Contributors.Mininet[EB/OL].[2021-05-18].
[21]Nicira Extension Structures[EB/OL].[2021-05-18].
[22]THE UNIVERSITY OF ADELAIDE.The internet topologyzoo[EB/OL].(2013-04-16) [2021-05-18].
[23]COATES M,CASTRO R,NOWAK R,et al.Maximum likeli-hood network topology identification from edge-based unicast measurements[J].ACM SIGMETRICS Performance Evaluation Review,2002,30(1):11-20.
[24]BOSSHART P,DALY D,GIBB G,et al.P4:Programming protocol-independent packet processors[J].ACM SIGCOMM Computer Communication Review,2014,44(3):87-95.
[1] LI Shao-hui, ZHANG Guo-min, SONG Li-hua, WANG Xiu-lei. Incomplete Information Game Theoretic Analysis to Defend Fingerprinting [J]. Computer Science, 2021, 48(8): 291-299.
[2] ZHAO Jin-long, ZHANG Guo-min, XING Chang-you, SONG Li-hua, ZONG Yi-ben. Self-adaptive Deception Defense Mechanism Against Network Reconnaissance [J]. Computer Science, 2020, 47(12): 304-310.
[3] SHEN Pu-bing, ZHAO Zhan-dong and GONG Qiang-bing. Research on Evaluation of Computer Network Operation Based on Capacity Factor [J]. Computer Science, 2016, 43(Z6): 505-507.
Full text



No Suggested Reading articles found!