Tunnel enabled programmable switches obfuscate network topology to defend against link flooding reconnaissance in software defined networking

Abstract

Recently, Software-Defined Networking (SDN) has emerged as an increasingly popular network paradigm due to its virtualization capabilities and flexibility. However, its robustness in link connectivity is threatened by Link Flooding Attacks (LFAs). To launch LFAs, adversaries use probing tools to infer network topologies and identify target links with bottlenecks. Thus, protecting SDN topologies against disclosure is crucial to ensure system security and preserve infrastructure functionality. We propose TEPS (Tunnel-Enabled Programmable Switches), a proactive defense system that dynamically obfuscates network topologies to defend against adversarial reconnaissance in SDN. TEPS generates false topologies by leveraging the flexibility of emerging programmable switches to construct customized tunnels and manipulate probing packets using the P4 language. This prevents adversaries from obtaining accurate knowledge of network topologies, making it difficult to reconstruct the true topologies. Furthermore, TEPS counters Round-Trip Time (RTT)-based fingerprinting attacks by dynamically adjusting packet delays and routing traffic to conceal RTT variations. Our evaluation demonstrates that TEPS effectively reduces the distribution of link importance in network topologies compared to the latest proactive defense method, thereby concealing bottlenecks and disrupting adversarial topology reconnaissance, including thwarting RTT-based fingerprinting attempts. Furthermore, by leveraging the capabilities of P4 switches, TEPS introduces minimal network overhead, with at most a 3% reduction in throughput and a 9.57% increase in resource utilization, showing practical feasibility under real-world operational constraints. By implementing TEPS, network administrators can enhance the security of their SDN infrastructures against LFAs and maintain robust connectivity through a lightweight approach.