Jisuanji kexue (Oct 2021)
TopoObfu:A Network Topology Obfuscation Mechanism to Defense Network Reconnaissance
Abstract
Some typical network attacks,such as link-flooding attack,need to be carried out on critical links based on topology reconnaissance,which has strong destructiveness and stealthiness.In order to defense these attacks effectively,TopoObfu,a topology obfuscation mechanism against network reconnaissance,is proposed.TopoObfu can add virtual links to the real network according to the requirements of network topology obfuscation,and provide attacker with fake topology by modifying the forwar-ding rules of probing packets,and hide critical links in the network.To facilitate the implementation,TopoObfu maps the fake topology to the flow table entries used by SDN switches for packet processing,and can be deployed in the hybrid network where only part of the nodes are SDN switches.The simulation analysis based on several typical real network topologies shows that TopoObfu can effectively improve the difficulty of critical links analysis launched by attackers in terms of link importance,network structure entropy,path similarity and so on,and has high implementation efficiency in terms of the number of flow table entries in SDN switches,the generated time of fake topology,and can reduce the probability of critical links being attacked.
Keywords