SpiderNet: Enabling Bot Identification in Network Topology Obfuscation Against Link Flooding Attacks

Link-flooding attacks (LFAs) pose a significant challenge to Internet availability by attacking critical network links with high volumes of seemingly legitimate traffic. In response, researchers have developed network topology obfuscation (NTO) to safeguard critical links. However, state-of-the-art NTO defenses are coarse-grained, leading to less efficient security and usability. In addition, once under attack, NTO schemes cannot identify the attacker's bot and launch counter-defensive measures. To address these issues, this paper introduces SpiderNet, which employs advanced obfuscation techniques to secure critical links while using strategically created honeypot links for effective bot identification. When adversaries probe the network, SpiderNet captures their probing behavior and deliberately feeds back misinformation about honeypot links. By analyzing the attack patterns directed at these decoy targets, SpiderNet correlates them with adversarial probing activities to effectively identify the bots. Our experiments demonstrate that SpiderNet is more robust than state-of-the-art NTO schemes in terms of security and usability, while also being capable of identifying LFA bots.