Tunnel enabled programmable switches obfuscate network topology to defend against link flooding reconnaissance in software defined networking.

IF 3.9 2区综合性期刊 Q1 MULTIDISCIPLINARY SCIENCES

Scientific Reports Pub Date : 2025-10-10 DOI:10.1038/s41598-025-19566-7

Xiang Li, Jungmin Lee, Junggab Son, Yeonjoon Lee

{"title":"Tunnel enabled programmable switches obfuscate network topology to defend against link flooding reconnaissance in software defined networking.","authors":"Xiang Li, Jungmin Lee, Junggab Son, Yeonjoon Lee","doi":"10.1038/s41598-025-19566-7","DOIUrl":null,"url":null,"abstract":"<p><p>Recently, Software-Defined Networking (SDN) has emerged as an increasingly popular network paradigm due to its virtualization capabilities and flexibility. However, its robustness in link connectivity is threatened by Link Flooding Attacks (LFAs). To launch LFAs, adversaries use probing tools to infer network topologies and identify target links with bottlenecks. Thus, protecting SDN topologies against disclosure is crucial to ensure system security and preserve infrastructure functionality. We propose TEPS (Tunnel-Enabled Programmable Switches), a proactive defense system that dynamically obfuscates network topologies to defend against adversarial reconnaissance in SDN. TEPS generates false topologies by leveraging the flexibility of emerging programmable switches to construct customized tunnels and manipulate probing packets using the P4 language. This prevents adversaries from obtaining accurate knowledge of network topologies, making it difficult to reconstruct the true topologies. Furthermore, TEPS counters Round-Trip Time (RTT)-based fingerprinting attacks by dynamically adjusting packet delays and routing traffic to conceal RTT variations. Our evaluation demonstrates that TEPS effectively reduces the distribution of link importance in network topologies compared to the latest proactive defense method, thereby concealing bottlenecks and disrupting adversarial topology reconnaissance, including thwarting RTT-based fingerprinting attempts. Furthermore, by leveraging the capabilities of P4 switches, TEPS introduces minimal network overhead, with at most a 3% reduction in throughput and a 9.57% increase in resource utilization, showing practical feasibility under real-world operational constraints. By implementing TEPS, network administrators can enhance the security of their SDN infrastructures against LFAs and maintain robust connectivity through a lightweight approach.</p>","PeriodicalId":21811,"journal":{"name":"Scientific Reports","volume":"15 1","pages":"35549"},"PeriodicalIF":3.9000,"publicationDate":"2025-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Scientific Reports","FirstCategoryId":"103","ListUrlMain":"https://doi.org/10.1038/s41598-025-19566-7","RegionNum":2,"RegionCategory":"综合性期刊","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"MULTIDISCIPLINARY SCIENCES","Score":null,"Total":0}

引用次数: 0

Abstract

Recently, Software-Defined Networking (SDN) has emerged as an increasingly popular network paradigm due to its virtualization capabilities and flexibility. However, its robustness in link connectivity is threatened by Link Flooding Attacks (LFAs). To launch LFAs, adversaries use probing tools to infer network topologies and identify target links with bottlenecks. Thus, protecting SDN topologies against disclosure is crucial to ensure system security and preserve infrastructure functionality. We propose TEPS (Tunnel-Enabled Programmable Switches), a proactive defense system that dynamically obfuscates network topologies to defend against adversarial reconnaissance in SDN. TEPS generates false topologies by leveraging the flexibility of emerging programmable switches to construct customized tunnels and manipulate probing packets using the P4 language. This prevents adversaries from obtaining accurate knowledge of network topologies, making it difficult to reconstruct the true topologies. Furthermore, TEPS counters Round-Trip Time (RTT)-based fingerprinting attacks by dynamically adjusting packet delays and routing traffic to conceal RTT variations. Our evaluation demonstrates that TEPS effectively reduces the distribution of link importance in network topologies compared to the latest proactive defense method, thereby concealing bottlenecks and disrupting adversarial topology reconnaissance, including thwarting RTT-based fingerprinting attempts. Furthermore, by leveraging the capabilities of P4 switches, TEPS introduces minimal network overhead, with at most a 3% reduction in throughput and a 9.57% increase in resource utilization, showing practical feasibility under real-world operational constraints. By implementing TEPS, network administrators can enhance the security of their SDN infrastructures against LFAs and maintain robust connectivity through a lightweight approach.

查看原文本刊更多论文

隧道使能的可编程交换机混淆网络拓扑，以防御软件定义网络中的链路泛洪侦察。

最近，由于其虚拟化能力和灵活性，软件定义网络（SDN）已经成为一种日益流行的网络范例。但是，链路泛洪攻击（link Flooding Attacks, lfa）会对其链路连通性的鲁棒性造成威胁。为了启动lfa，攻击者使用探测工具来推断网络拓扑并识别具有瓶颈的目标链路。因此，保护SDN拓扑免遭泄露对于确保系统安全和保护基础设施功能至关重要。我们提出TEPS（隧道启用可编程交换机），这是一种主动防御系统，可以动态模糊网络拓扑以防御SDN中的对抗性侦察。TEPS通过利用新兴可编程交换机的灵活性来构建定制的隧道并使用P4语言操纵探测数据包，从而生成假拓扑。这使得攻击者无法获得准确的网络拓扑知识，从而难以重建真实的拓扑。此外，TEPS通过动态调整数据包延迟和路由流量来隐藏RTT变化，从而对抗基于往返时间（RTT）的指纹攻击。我们的评估表明，与最新的主动防御方法相比，TEPS有效地降低了网络拓扑中链路重要性的分布，从而隐藏瓶颈并破坏对抗性拓扑侦察，包括挫败基于rtt的指纹尝试。此外，通过利用P4交换机的功能，TEPS引入了最小的网络开销，吞吐量最多减少3%，资源利用率增加9.57%，在实际操作限制下显示出实际可行性。通过实现TEPS，网络管理员可以增强其SDN基础设施对lfa的安全性，并通过轻量级方法维护健壮的连接。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Scientific Reports Natural Science Disciplines-

CiteScore

7.50

自引率

4.30%

发文量

19567

审稿时长

3.9 months

期刊介绍： We publish original research from all areas of the natural sciences, psychology, medicine and engineering. You can learn more about what we publish by browsing our specific scientific subject areas below or explore Scientific Reports by browsing all articles and collections. Scientific Reports has a 2-year impact factor: 4.380 (2021), and is the 6th most-cited journal in the world, with more than 540,000 citations in 2020 (Clarivate Analytics, 2021). •Engineering Engineering covers all aspects of engineering, technology, and applied science. It plays a crucial role in the development of technologies to address some of the world''s biggest challenges, helping to save lives and improve the way we live. •Physical sciences Physical sciences are those academic disciplines that aim to uncover the underlying laws of nature — often written in the language of mathematics. It is a collective term for areas of study including astronomy, chemistry, materials science and physics. •Earth and environmental sciences Earth and environmental sciences cover all aspects of Earth and planetary science and broadly encompass solid Earth processes, surface and atmospheric dynamics, Earth system history, climate and climate change, marine and freshwater systems, and ecology. It also considers the interactions between humans and these systems. •Biological sciences Biological sciences encompass all the divisions of natural sciences examining various aspects of vital processes. The concept includes anatomy, physiology, cell biology, biochemistry and biophysics, and covers all organisms from microorganisms, animals to plants. •Health sciences The health sciences study health, disease and healthcare. This field of study aims to develop knowledge, interventions and technology for use in healthcare to improve the treatment of patients.