You Can Obfuscate, but You Cannot Hide: CrossPoint Attacks against Network Topology Obfuscation

Link-flooding attacks (LFAs) may disrupt Internet connections in targeted areas by flooding specific links. One effective mitigation strategy against these attacks is network topology obfuscation (NTO), which aims to obscure the network map and conceal critical links, preventing attackers from identifying bottleneck links.

However, we argue that the attackers can still discover critical links in the presence of NTO defenses. In this paper, we introduce the CrossPoint attacks to escape the security protections of state-of-the-art NTO defenses by exploiting two network traffic features: correlated congestion and statistical disparities. Although NTO defenses create a complex and seemingly robust virtual topology, distinct information is still discoverable due to conflicting design objectives and inherent features of the Internet, resulting in novel side channels. Through comprehensive experiments, including a measurement study on the Internet, we demonstrate CrossPoint attacks' high success rate (80%-95%), minor overhead (10%-20%), as well as attack stealthiness and feasibility.