Software-Defined Networks (SDNs) are increasingly gaining prominence in the networking domain, enabling programmable control and management of network infrastructure within data centers. This programmability offers the advantage of dynamically adjusting the routing paths depending upon on the network’s requirements and capabilities. Computer networks have been vulnerable to denial of service attacks, particularly link flooding attacks, which have gained notoriety for their ability to isolate network segments precisely without affecting the rest of the network and evading detection. In this work, we introduce a security framework designed to prevent and mitigate link flooding attacks in Software Defined Networks. Our approach involves limiting the network reconnaissance probes used by attackers to gather knowledge about network topology. We prevent the attackers from obtaining an accurate network topology, limiting their ability to launch an attack. Our framework utilizes alternate paths and hop count manipulation to hinder the reconnaissance process. To further strengthen our claims, we evaluate our framework on real world topologies from the Topology Zoo dataset. Our analysis demonstrates that the majority of real world topologies already exhibit network path diversity and along with TTL manipulation we can hinder the mapping process, causing the attacker to infer an incorrect network topology.

中文翻译：

---

软件定义网络中链路洪泛攻击的早期预防和缓解

软件定义网络 (SDN) 在网络领域日益受到重视，支持对数据中心内的网络基础设施进行可编程控制和管理。这种可编程性提供了根据网络的要求和功能动态调整路由路径的优点。计算机网络很容易受到拒绝服务攻击，特别是链接泛洪攻击，这种攻击因其能够精确隔离网段而不影响网络的其余部分和逃避检测而臭名昭著。在这项工作中，我们引入了一个安全框架，旨在防止和减轻软件定义网络中的链接洪泛攻击。我们的方法包括限制攻击者用来收集网络拓扑知识的网络侦察探针。我们阻止攻击者获得准确的网络拓扑，限制他们发起攻击的能力。我们的框架利用备用路径和跳数操作来阻碍侦察过程。为了进一步强化我们的主张，我们根据拓扑动物园数据集的真实世界拓扑评估了我们的框架。我们的分析表明，大多数现实世界的拓扑已经表现出网络路径多样性，并且通过 TTL 操作，我们可以阻碍映射过程，导致攻击者推断出不正确的网络拓扑。