Link flooding attack (LFA) is an attack based on network topology information. It has been one of the major threats to the Internet due to its low cost and high concealability feature. Existing active defenses against LFA either rely on additional methods to detect malicious traffic or lower the usefulness of network diagnostic tools for benign purpose. In this paper, a lightweight, low-loss network topology obfuscation scheme is proposed. We have designed a set of efficient algorithms that can calculate a secure virtual topology for a large topology of hundreds of nodes in a few seconds, hiding important links in the network while luring attackers to preset honey links. Then, we control different nodes to respond to the probe packets in accordance with the virtual topology. There is no need to reroute flows or add additional header information in the forwarding process, so we can capture and modify the packets at the line-rate. We implemented the prototype of NetObfu in the SDN environment, and evaluated it through a large scale of experiments with different real topologies. The results confirmed the effectiveness and efficiency of our solution.

链路泛洪攻击（LFA）是一种基于网络拓扑信息的攻击。由于其低成本和高隐蔽性，它一直是互联网的主要威胁之一。针对 LFA 的现有主动防御要么依赖于其他方法来检测恶意流量，要么降低网络诊断工具用于良性目的的有用性。在本文中，提出了一种轻量级、低损耗的网络拓扑混淆方案。我们设计了一套高效的算法，可以在几秒钟内为数百个节点的大型拓扑计算出一个安全的虚拟拓扑，隐藏网络中的重要链接，同时诱使攻击者预设蜂蜜链接。然后，我们根据虚拟拓扑控制不同的节点响应探测包。在转发过程中不需要重新路由流或添加额外的头信息，因此我们可以以线速捕获和修改数据包。我们实现了原型NetObfu在 SDN 环境中，并通过不同真实拓扑的大规模实验对其进行评估。结果证实了我们解决方案的有效性和效率。