Xiong Wang,Yukun Yang,Hanyu Liu,Jing Ren,Shizhong Xu,Sheng Wang,Shui Yu

DOI: https://doi.org/10.1016/j.jnca.2019.102468

IF: 7.574

2019-01-01

Journal of Network and Computer Applications

Abstract:Round-trip link delay is an important indicator for network performance optimization and troubleshooting. The Software-Defined Networking (SDN) paradigm, which provides flexible and centralized control capability, paves the way for efficient round-trip link delay measurement. In this paper, we study the round-trip link delay measurement problem in SDN networks. We propose an efficient measurement scheme, which infers round-trip link delays from end-to-end delay of some measurement paths implemented with few flow rules in each SDN switch. Furthermore, to reduce measurement cost and meet measurement constraint, we address the Monitor Placement and Link Assignment (MPLA) problem involved in the measurement scheme. Specifically, we formulate the MPLA problem as a Mixed Integer Linear Programming (MILP) problem, prove that it is NP-hard, and propose an efficient algorithm called MPLA Algorithm based on Biding Strategy (MPLAA-BS) to solve the problem. The extensive simulation results on real network topologies reveal that the proposed scheme can efficiently and accurately measure round-trip link delays in SDN networks, and the MPLAA-BS can find feasible and resource-efficient solutions for the MPLA problem.

Junjie Xie,Deke Guo,Xiaozhou Li,Yulong Shen,Xiaohong Jiang

DOI: https://doi.org/10.1109/jsac.2018.2815358

IF: 16.4

2018-01-01

IEEE Journal on Selected Areas in Communications

Abstract:To enable the network softwarization, network function virtualization (NFV) and software defined networking (SDN) are integrated to jointly manage and utilize the network resource and virtualized network functions (VNFs). For a network flow resulting from any NFV application, an associated switch would send a routing request to the controller in SDN. The controller then generates and configures a routing path to dynamically steer the flow across appropriate VNFs or service function chains. This process, however, exhibits a skew distribution of response latency with a long tail. Cutting the long-tail latency of response is critical to enable the network softwarization, yet difficult to achieve due to many factors, such as the limited capacities and the load imbalance among controllers. In this paper, we reveal that such flow requests still experience the long-tail response latency, even using the up-to-date controller-to-switch assignment mechanism. To tackle this essential problem, we first propose a light-weight and load-aware switch-to-controller selection scheme to cut the long-tail response latency under the simple scenario of homogeneous controllers, and then design a general delay-aware switch-to-controller selection scheme to fundamentally cut the long-tail response latency for the more complicated heterogeneous controller scenario with performance fluctuations. The comprehensive evaluations indicate that our two new switch-to-controller selection schemes can significantly reduce the long-tail latency and provide higher system throughput.

Curtis Yu,Cristian Lumezanu,Abhishek B. Sharma,Qiang Xu,Guofei Jiang,Harsha V. Madhyastha

DOI: https://doi.org/10.1007/978-3-319-15509-8_27

2015-01-01

Abstract:Data center network operators have to continually monitor path latency to quickly detect and re-route traffic away from high-delay path segments. Existing latency monitoring techniques in data centers rely on either (1) actively sending probes from end-hosts, which is restricted in some cases and can only measure end-to-end latencies, or (2) passively capturing and aggregating traffic on network devices, which requires hardware modifications.In this work, we explore another opportunity for network path latency monitoring, enabled by software-defined networking. We propose SLAM, a latency monitoring framework that dynamically sends specific probe packets to trigger control messages from the first and last switches of a path to a centralized controller. SLAM then estimates the latency distribution along a path based on the arrival timestamps of the control messages at the controller. Our experiments show that the latency distributions estimated by SLAM are sufficiently accurate to enable the detection of latency spikes and the selection of low-latency paths in a data center.

Pengzhan Wang,Hongli Xu,Liusheng Huang,Jie He,Zeyu Meng

DOI: https://doi.org/10.1109/jsac.2017.2760187

IF: 16.4

2017-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Software defined networking (SDN) separates the data plane and control plane on independent devices. Since the data plane, consisting of switches, is responsible for packets forwarding, previous work often considers the different constraints (e.g., data link capacity and flow-table size) only in the data plane to provide better QoS for users. However, due to limited CPU processing power and low speed of flow-table updating on each switch, the control channels/links between switches and the controller often have very limited capacity, which will cause QoS performance (e.g., response time and throughput) degradation when the switch should handle a high traffic load. The goal of our paper is to achieve better QoS by jointly considering the control link constraint and other different constraints of the data plane in SDNs. We formally define the control link load balancing and low delay route deployment problems, and prove the NP-Hardness. We present two algorithms with bounded approximation factors for each problem and implement the proposed methods on our SDN testbed. Extensive simulation results and experimental results show that our algorithms can reduce control link load by about 50% and response time by about 60%, and increase the network throughput by 65% compared with previous methods.

Xi Chen,Yue Chen,Arun Kumar Sangaiah,Shouxi Luo,Hongfang Yu

DOI: https://doi.org/10.3390/en12061147

IF: 3.2

2019-01-01

Energies

Abstract:While software-defined networking (SDN) has been widely applied in various networking domains including datacenters, WANs (Wide Area Networks), QoS (Quality of Service) provisioning, service function chaining, etc., it also has foreseeable applications in energy internet (EI), which envisions an intelligent energy industry on the basis of (information) internet. Global awareness provided by SDN is especially useful in system monitoring in EI to achieve optimal energy transportation, sharing, etc. Link layer discovery protocol (LLDP) plays a key role in global topology discovery in software-defined energy internet when SDN is applied. Nevertheless, EI-related status information (power loads, etc.) is not collected during the LLDP-based topology discovery process initiated by the SDN controller, which makes the optimal decision making (e.g., efficient energy transportation and sharing) difficult. This paper proposes MonLink, a piggyback status-monitoring scheme over LLDP in software-defined energy internet with SDN-equipped control plane and data plane. MonLink extends the original LLDP by introducing metric type/length/value (TLV) fields so as to collect status information and conduct status monitoring in a piggyback fashion over LLDP during topology discovery simultaneously without the introduction of any newly designed dedicated status monitoring protocol. Several operation modes are derived for MonLink, namely, periodic MonLink, which operates based on periodic timeouts, proactive MonLink, which operates based on explicit API invocations, and adaptive MonLink, which operates sensitively and self-adaptively to status changes. Various northbound APIs are also designed so that upper layer network applications can make full use of the status monitoring facility provided by MonLink. Experiment results indicate that MonLink is a lightweight protocol capable of efficient monitoring of topological and status information with very low traffic overhead, compared with other network monitoring schemes such as sFlow.

Zixu Huang,Xuanbo Huang,Jian Li,Kaiping Xue,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/hpsr54439.2022.9831333

2022-01-01

Abstract:Software-Defined Networking (SDN) is a new and highly flexible network architecture, but the bottleneck between the control plane and the data plane makes it vulnerable to the control plane saturation DoS attacks. When the attack happens, traditional schemes in DoS scrubbing agent use a binary classification and a First In First Out (FIFO) queue to filter attack flows. However, this scheme is inimical to the end-to-end latency of benign traffic. To tackle this issue, we propose LLDM, leveraging a dynamic priority scheme and a priority queue to detect, mitigate the attacks while ensuring low latency for benign traffic. After detecting the attack, LLDM leverages a two-phase scheme for mitigation. First, LLDM marks packets from the ports under attack as suspicious and migrates them to the mitigation agent. Then, the dynamic priority manager assigns each packet a priority corresponding to its legality, which is used in the priority queue for DoS scrubbing. We evaluate LLDM in a simulation SDN environment. The experimental results show that LLDM can reduce 90.4% of the queuing delay compared with the traditional scheme under a 5000 Packets Per Second (PPS) attack, and it is also resistant to more sophisticated attacks. Under the high rate attack of 50000 PPS, LLDM installs a flow rule for legitimate traffic in 0.2 seconds. Moreover, for benign HTTP requests, LLDM can keep the request time at 1.39 seconds.

Xiong Wang,Mehdi Malboubi,Zhihao Pan,Jing Ren,Sheng Wang,Shizhong Xu,Chen-Nee Chuah

DOI: https://doi.org/10.1109/tnet.2018.2865892

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:In this paper, we propose the Programmable Link Metric Identification (ProgLIMI) infrastructure for software-defined networking (SDN) networks. ProgLIMI identifies round-trip link metrics (RTLMs) from accumulated end-to-end metrics of selected measurement paths by leveraging the flexible routing control capability of SDN networks. ProgLIMI mainly solves three sub-problems: 1) monitor placement; 2) linearly independent measurement path construction; and 3) flow rule design. To reduce measurement cost, ProgLIMI tries to minimize the number of required monitors and flow rules. In this paper, we address the three sub problems for both full and hybrid SDN networks. For full SUN networks, ProgLIMI can achieve full RTLM identification using only one monitor and two flow rules in each SDN switch. In contrast, the RTLM identification in hybrid SDN networks is more complicated due to the routing constraint of hybrid SDN networks. We first prove that the monitor placement problem in hybrid SDN networks is NP-hard. We then formulate the monitor placement and measurement path selection problem in hybrid SDN networks and propose a greedy heuristic algorithm to solve the problem efficiently. Our evaluations on both physical testbed and simulation platform reveal that ProgLIMI can accurately identify the RTLMs (delay and loss rate). Besides, ProgLIMI is also resource efficient, i.e., it only requires two flow rules in each SUN switch and a small number of monitors, and the extra probing traffic load incurred by ProgLIMI is also low.

Huang Xufu,Liu Chuan,Lin Yilei,Jin Yaohui,Luo Xuan

DOI: https://doi.org/10.11959/j.issn.1000-0801.2015090

2015-01-01

Abstract:With network scale and network traffic growing up，the performance of SDN controller can probably be bottleneck，in order to still obtain correct performance status on dynamical workload，an online performance monitor frame was designed and Lpdex，a controller latency performance metric，was defined. Then a simple prototype of performance monitor was implemented on FloodLight，a widely used controller，after experimental evaluation，controller performance monitor was validated feasible and Lpdex can indicate controller latency performance accurately online with workload varying.

Hancun Sun,Xu Chen,Yantian Luo,Wei Feng,Yunfei Chen,Ning Ge

DOI: https://doi.org/10.1109/icct59356.2023.10419782

2023-01-01

Abstract:Link flooding attack (LFA) is a kind of stealthy distributed denial of service (DDoS) attack that has been commonly exploited by attackers to disconnect victims from the Internet by congesting critical links on the paths. With the development of 5G, a massive number of insecure Internet of Things (IoT) devices have been connected to the network, which significantly increases the risk of LFA. Detecting and mitigating LFA is difficult since malicious traffic is of low speed and protocol confirming from legitimate traffic. Traditional LFA detection methods face the challenge of high complexity. Due to the numerous attack sources of LFA, the mainstream traffic engineering-based mitigation methods introduce high signaling communication costs. To over-come these challenges, we propose a novel LFA defense system in software defined networking (SDN) architecture that consists of a distributed relative entropy-based LFA detection method and an optimized rerouting method for LFA mitigation. This framework is lightweight to implement. It can not only reduce the communication overhead of signaling transmission in mitigation, but also avoid the cascading congestion of other links after rerouting. We verify our detection and mitigation method in an experimental testbed. Numerical results show that our method can detect and mitigate LFAs effectively with low cost.

Meng Shen,Liehuang Zhu,Mingwei Wei,Qiongyu Zhang,Mingzhong Wang,Fan Li

DOI: https://doi.org/10.1109/icccn.2016.7568535

2016-01-01

Abstract:Software Defined Networks (SDNs) decouple control plane from data plane and enable fine-grained traffic management by a logically centralized controller. Reducing the flow latency is of great importance in traffic management, which benefits both service providers and end users. Routing design and flow scheduling are typical ways to improve the flow transmission efficiency. However, existing studies usually consider them separately, due to the complexity of joint consideration.In this paper, we combine the routing and scheduling together and propose a latency-aware routing scheme with bandwidth assignment, which can efficiently reduce the flow latency with a moderate complexity. In the routing design, we utilize the global flow information to reduce both the latency of the newly arrived flow and its interference with existing flows in the network. Given flow forwarding paths determined by routing, the flow scheduling dynamically reallocates the bandwidth to all flows so as to further reduce the total flow latency. Experimental results show that our scheme outperforms the scheme currently available in OpenFlow, with an improvement of up to 60% on flow efficiency and a higher percentage of flows that meet their deadlines.

Xin Zhao,Lin Yao,Guowei Wu

DOI: https://doi.org/10.1002/dac.3552

2018-01-01

International Journal of Communication Systems

Abstract:SummarySoftware‐defined networking simplifies network management by decoupling the control plane from the data plane and centralizing it to the controller. As the brain of the network, the controller gains up‐to‐date holistic network visibility via topology discovery. However, as a key service of topology discovery, the link discovery service opens problems on efficiency and security. On the one hand, sending link discovery packets to all ports wastes not only the limited controller resources (such as CPU and memory) but also control channel bandwidth. On the other hand, attackers may use these packets to create fake links and perform link fabrication attack. Because of the centralized control paradigm, wasting controller resources may degrade network performance, and all the fake links may severely poison the network topology, even causing the denial of service or man‐in‐the‐middle attack. In this paper, we propose an efficient and secure link discovery scheme to improve link discovery performance and resist link fabrication attack caused by the software‐defined networking link discovery service. By adopting port classification technique and directionally transmitting packets to appropriate ports, our approach can reduce or eliminate redundant packets and improve link discovery performance. Meanwhile, we adopt the directional packet transmitting approach and the time‐marked hash‐based message authentication code authenticate scheme to resist the link fabrication attack. A prototype system is implemented on the basis of POX controller and Mininet simulator to evaluate our scheme. Simulation results demonstrate that our scheme can solve the link fabrication problems with less overload of both the control plane and the data plane.

Meng Yue,Qingxin Yan,Zichao Lu,Zhijun Wu

DOI: https://doi.org/10.1109/tnsm.2024.3363490

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Software-Defined Networking (SDN) actualizes the separation of control and forwarding, innovates network functionality with a logically centralized controller, and facilitates network-wide collaboration. Contemporary SDN infrastructure exposes potential bottlenecks which are prone to engaging low-rate denial of service (LDoS) attacks. Currently, a great deal of detection methods are deployed in the controller, and the controller needs to poll the switch frequently, which brings heavy load to the controller and the southbound link. According to the analysis of existing researches, we focused on the how to decrease the frequent polling of the controller and improve the detection rate. In this paper, we adopted the idea of cross-plane collaboration and proposed a two-phase detection framework, which carried out the lightweight detection method in the data plane and the in-depth detection based on Bayesian voting mechanism in the control plane. Once LDoS attacks are detected, the controller recalculates routes for the bottleneck nodes using the optimized Dijkstra algorithm to complete mitigation. Theoretical analyses and extensive experiments are conducted to validate the performance of our proposed method. Test results show that our method outperforms other traditional methods in terms of the detection rate of 99.1%, the detection delay of 1.3s and the communication overhead of 1068 Byte/s, the average CPU utilization of controller remains at approximately 3.5%. The proposed method takes a step forward to enhance the security of SDN.

computer science, information systems

Shou-Yi WANG,Qi LI,Yun ZHANG

DOI: https://doi.org/10.11897/SP.J.1016.2019.00176

2019-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Software-Defined Networking (SDN) simplifies network management by separating control and data planes, and has been received much attention recently.However, SDN cannot ensure correctness of packet forwarding in the networks, e.g., the packets in SDN can be dropped, tampered with, or faked, which may be incurred by false forwarding rule enforcement or attacks.SDN has a simple packet forwarding mechanism in its data plane so that the forwarding verification techniques in the traditional IP networks cannot be applied in SDN.Therefore, it is challenging to verify packet forwarding and ensure correctness of packet forwarding in SDN.The existing studies verify packet forwarding in SDN by verifying packets hop-by-hop or periodically comparing flow statistics of all flows, which incurs significant computation and communication overhead.In this paper, we present LPV (Lightweight Packet Forwarding Verification), a system provides the ability of verifying SDN data plane forwarding.The goal of LPV is to provide a reliable and practical mechanism to detect and defend against wrong packet forwarding.To this end, we develop a lightweight forwarding verification approach to detecting forwarding anomalies and locating malicious switches by leveraging the Packet-in mechanism and the flow statistics maintained in switches.LPV samples packets delivered by ingress and egress switches according to dedicated flow rules, and reports the message authentication code (MAC) values of packets and the statistics of the corresponding flows by Packet-in messages.Thereby, the controllers can detect malicious forwarding behaviors by comparing the MAC values of the packets and the statistics of the flows.Moreover, LPV can locate the switches that perform the malicious packet forwarding behaviors, e.g., malicious packet modification and packet dropping, by analyzing the correlations of the information, i.e., the Packet-in messages and flow statistics.By enforcing the sample mechanism, LPV significantly reduces the computation cost, and communication and storage overheads, which incurred by packet processing in switches and controllers.In particular, by randomly sampling packets according to the flow rules, LPV ensures the consistency of packet processing performed by different switches.Adversaries cannot easily infer which packets are sampled so that they cannot interfere with the verification.We implement a prototype of LPV with open source OpenFlow controllers, i.e., Floodlight, and open source OpenFlow switches, i.e., ofsoftware13, and evaluate the performance by Mininet experiments.The experimental results show that LPV detects various forwarding anomalies, while introducing negligible overhead, i.e., around 10％average delays in packet forwarding and less than 10％communication overhead.

Tao Yu,Longfei Yu,Diyue Chen,Hongyan Cui,Jilong Wang

DOI: https://doi.org/10.23919/jcc.2020.06.001

2020-01-01

China Communications

Abstract:The rise of the network has injected new impetus into the development of traditional networks.Due to the complexity of the network itself and its network programmability,there is a risk of routing loops occurring in the SDN network.This paper proposes a loop detection mechanism.According to the Time To Live（TTL） value of the loop packet,there is approximately periodicity in the same loop.We use sFlow to count the number of packets corresponding to each TTL value of a switch in the loop over a period of time,and perform discrete Fourier transform on the obtained finite-length sequence to observe its frequency domain performance and determine whether there are periodic features.By doing so, it is determined whether there is a routing loop,and the purpose of passively detecting the routing loop is achieved.Compared to existing algorithms,it has advantages in real-time,scalability and false positive rate.The experimental results show that the routing loop detection algorithm based on TTL statistics in this paper still maintains high judgment accuracy under the scenarios of lower stream sampling rate and smaller detection period.

Liuwei Huo,Dingde Jiang,Zhihan Lv

DOI: https://doi.org/10.1002/ett.4172

IF: 3.6

2022-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:In software‐defined networks (SDN) for 6G technologies, the controller should accurately and efficiently measure the flow traffic in switches for traffic engineering. Fine‐grained flow measurement can more accurately describe the traffic in the network, but it also consumes much more resources. To reduce the overhead incurred in the measurement process and obtain the approximate fine‐grained measurements, we propose a novel lightweight measurement scheme that runs in the controller. The novel lightweight measurement architecture consists of two parts: coarse‐grained measurement and interpolation‐optimization. In the first part, based on the SDN architecture, we use the pull‐based random sampling method to quickly obtain the coarse‐grained measurement of flow traffic through OpenFlow protocol. In the second part, we insert some discrete values into the coarse‐grained measurement with the interpolation theory, then we optimize interpolation results until finding the optimal fine‐grained flow traffic measurement by utilizing the multiconstraint method. We verified the feasibility of the proposed measurement method, and simulation results show that the measurement error of the proposed method is under 25%, but the flow measurement overhead of this method occupies only 3.3% compared with that of the fine‐grained method.

Zhiyang Su,Ting Wang,Yu Xia,Mounir Hamdi

DOI: https://doi.org/10.1109/GLOCOM.2014.7037094

2017-01-01

Abstract:Network monitoring and measurement are crucial in network management to facilitate quality of service routing and performance evaluation. Software Defined Networking (SDN) makes network management easier by separating the control plane and data plane. Network monitoring in SDN is lightweight as operators only need to install a monitoring module into the controller. Active monitoring techniques usually introduce too many overheads into the network. The state-of-the-art approaches utilize sampling method, aggregation flow statistics and passive measurement techniques to reduce overheads. However, little work in literature has focus on reducing the communication cost of network monitoring. Moreover, most of the existing approaches select the polling switch nodes by sub-optimal local heuristics. Inspired by the visibility and central control of SDN, we propose FlowCover, a low-cost high-accuracy monitoring scheme to support various network management tasks. We leverage the global view of the network topology and active flows to minimize the communication cost by formulating the problem as a weighted set cover, which is proved to be NP-hard. Heuristics are presented to obtain the polling scheme efficiently and handle flow changes practically. We build a simulator to evaluate the performance of FlowCover. Extensive experiment results show that FlowCover reduces roughly 50% communication cost without loss of accuracy in most cases.

Peng Zhang,Hao Li,Chengchen Hu,Liujia Hu,Lei Xiong,Ruilong Wang,Yuemei Zhang

DOI: https://doi.org/10.1145/2999572.2999605

2016-01-01

Abstract:How to debug large networks is always a challenging task. Software Defined Network (SDN) offers a centralized con- trol platform where operators can statically verify network policies, instead of checking configuration files device-by-device. While such a static verification is useful, it is still not enough: due to data plane faults, packets may not be forwarded according to control plane policies, resulting in network faults at runtime. To address this issue, we present VeriDP, a tool that can continuously monitor what we call control-data plane consistency, defined as the consistency between control plane policies and data plane forwarding behaviors. We prototype VeriDP with small modifications of both hardware and software SDN switches, and show that it can achieve a verification speed of 3 μs per packet, with a false negative rate as low as 0.1%, for the Stanford backbone and Internet2 topologies. In addition, when verification fails, VeriDP can localize faulty switches with a probability as high as 96% for fat tree topologies.

Dong Liang,Qinrang Liu,Binghao Yan,Yanbin Hu,Bo Zhao,Tao Hu

DOI: https://doi.org/10.1007/s12083-021-01215-1

IF: 3.488

2021-01-01

Peer-to-Peer Networking and Applications

Abstract:Link backup is an important factor in the fault tolerance of SDN. The current research directions are proactive schemes and reactive schemes. The proactive schemes deploy the backup flow rules in the switches in advance and reserve the backup bandwidth. In reactive schemes, the controller calculates the backup path when a failure occurs. The proactive scheme easily causes the switch and link bandwidth resources to be exhausted, while the recovery time of the reactive scheme is too long. Moreover, none of the current methods considers the flow interruption rate. This article designs a set of efficient and low interruption rate link backup scheme. Our objective is to reduce the number of interrupted flows due to link failures. With this objective, we formalize the selection of the backup paths as an integer programming problem, and prove that it is NP-hard. Then we design a heuristic algorithm to solve it. We propose two algorithms to further optimize the calculated backup paths to reduce the need for backup flow rules and backup bandwidth. Simulations show that our method can effectively reduce the flow interruption rate after link failure recovery, and only needs less network resources.

ZHU Lie-huang,ZHANG Qiong-yu,SHEN Meng,WANG Ming-zhong

DOI: https://doi.org/10.3969/j.issn.1005-3026.2017.03.007

2017-01-01

Abstract:Routing decision in software defined networks ( SDN ) , which was based on the shortest path model, was unable to guarantee to minimize the delivery delay in the routing path. An efficient traffic-aware routing scheme was proposed, in which the information delivery latency was taken as the measurement of the routing efficiency. Based on the network-wide traffic information, various traffic indicators were considered by this scheme, including available bandwidth, packet loss probability, delay, switches invalidity probability, and routing path length, to find out the optimal routing path to enhance the efficiency of data delivery in networks. Experiments show that the scheme outperforms current scheme applied in OpenFlow framework with up to 90% improvement on efficiency. What' s more, the scheme is helpful to maintain the load balance of the networks.

Lei Wang,Qing Li,Yong Jiang,Jianping Wu

DOI: https://doi.org/10.1109/iscc.2016.7543772

2016-01-01

Abstract:Link flooding attack (LFA), as a new type of DDoS attack, can degrade or even cut off network connectivity of a target area. This attack employs legitimate, low-density flows to flood a group of selected links. Therefore, these malicious flows can hardly be distinguished by traditional schemes. In this paper, we propose a scheme called Woodpecker, which makes the LFA more difficult to take effect. First, we select M routers and upgrade them into SDN switches that can maximize the network connectivity. Second, we propose a proactive probe approach to quickly locate the congested links and judge whether LFA occurs. Finally, Woodpecker employs centralized traffic engineering based on the upgraded nodes, which can make the traffic balanced enough to eliminate the routing bottlenecks likely to be utilized by the adversary. We evaluate our scheme by comprehensive experiments. The results show that: 1) the bandwidth utilization of LFA-attacked links can be reduced by around 50%; 2) the average packet loss rate and jitter can be effectively mitigated under LFA attacks.