To proactively defend against intruders from readily jeopardizing single-path data sessions, we propose a distributed secure multipath solution to route data across multiple paths so that intruders require much more resources to mount successful attacks. Our work exhibits several crucial properties that differentiate itself from previous approaches. They include (1) distributed routing decisions: routing decisions are made without the centralized information of the entire network topology, (2) bandwidth-constraint adaptation: the worst-case link attack is mitigated for any feasible session throughput subject to the link-bandwidth constraints, and (3) lexicographic protection: severe link attacks are suppressed based on lexicographic optimization. We devise two algorithms for the solution, termed the bound-control algorithm and the lex-control algorithm, and prove their convergence to the respective optimal solutions. Experiments show that the bound-control algorithm is more effective to prevent the worst-case single-link attack when compared to the single-path approach, and that the lex-control algorithm further enhances the bound-control algorithm by countering severe single-link attacks and various models of multi-link attacks. Moreover, the lex-control algorithm offers prominent protection after only a few execution rounds. Thus, system designers can sacrifice minimal routing security for significantly improved algorithm performance when deploying the distributed secure multipath solution.