MINISTRY OF EDUCATION OF THE REPUBLIC OF BELARUS

EDUCATIONAL INSTITUTION
« YANKA KUPALA STATE UNIVERSIRY OF GRODNO »

UDK 004.716 As a manuscript

ABEDYASIR MUSTAFA ALI ABEDYASIR

DEVELOPMENT OF AN SDN CONTROLLER FOR SECURITY

AGAINST AN “MAN-IN-MIDDLE” ATTACK

Master's dissertation competition for a degree

Master of Engineering Science

Specialty 1-408003 «Computing machines and system»

Scientific advisor
Yauheny Alizarovich,
Head of information and
analytical center,
Ph.D. in technique,
Association professor
Approved for protection
_______
(Date)
________/L.V.Rudikova
(Full name and signature of the head of the department)

Grodno, 2020
 CONTENTS
INTRODUCTION...........................................................................................3
GENERAL DESCRIPTION OF THE WORK...............................................5
CHAPTER ONE.GENERAL INTRODUCATION........................................8
1.1 Introduction to SDN Network...............................................................................8
1.2 Introduction to Network Security.........................................................................9
1.3 Research Objectives............................................................................................11
1.4 Thesis Outline.....................................................................................................11
CHAPTER TWO.THEORETICAL BACKGROUND.................................13
2.1 Introduction to the network.................................................................................13
2.2 Address Resolution Protocol...............................................................................14
2.2.1 ARP Operations...........................................................................................16
2.2.2 Static and Dynamic Entries in the ARP Cache............................................16
2.3 Open Flow...........................................................................................................17
2.4 Network attacks...................................................................................................21
2.4.1 Category of Security Attack........................................................................21
2.4.2 ARP Attacks................................................................................................23
2.4.3 ARP poisoning Attack.................................................................................23
CHAPTER THREE.PROPOSED WORK....................................................25
3.1 Overview.............................................................................................................25
3.2 Problem Definition..............................................................................................25
3.3 Proposed Algorithm............................................................................................27
3.3.1 DHCP Server Operation..............................................................................28
3.3.2 Detection System.........................................................................................28
3.3.3 Prevention System.......................................................................................31
CHAPTER FOUR.THE IMPLEMENTATION AND RESULT..................36
4.1 Overview.............................................................................................................36
4.2 Virtual Machines.................................................................................................36
4.3 Mininet (SDN Simulator)....................................................................................37
4.4 RYU Open Flow Controller................................................................................39

1
 4.5 Wireshark and Testing Phase..............................................................................40
4.6 Lab Environment.................................................................................................41
4.6.1 First scenario: Simple Topology without RYU Controller..........................43
4.6.2 Second scenario: Simple Topology with RYU Controller..........................43
4.6.3 Mininet Host Implementation......................................................................45
4.7 Proposal Algorithm implementation...................................................................51
4.8 Scenario Result...................................................................................................56
CHAPTER FIVE.CONCLUSIONS AND FUTURE WORK......................57
5.1 Conclusions.........................................................................................................57
5.2 GENERAL CONCLUSION...............................................................................57
5.3 Future Work........................................................................................................59
REFERENCES..............................................................................................61

2
 INTRODUCTION
The relevance of the research. Today, a network security has
become a very important and main point in all technologies. Network
security is the most important concern for any network administrator. One of
the security problems affecting networks is Address Resolution Protocol
(ARP) attacks. ARP Protocol is accepting a logical address from the Internet
Protocol (IP), resolves the IP address to the corresponding physical Media
Access Control (MAC) address and passes it to the layer 2 (Data link layer).
ARP maps a logical IP address with its physical MAC address. On a typical
physical LAN, each device on the network is identified by a physical MAC
address that is usually burned on the Network Card (NIC). ARP Poisoning
attack targets the Address Resolution Protocol (ARP) mapping to redirect
the network flow to the attacker host, such as a Man in the Middle Attack
(MITM) attack in a LAN Network.
In this thesis, a proposed algorithm work based on Software Defined
Networks (SDN) has been suggested. SDN provides network
programmability and developed swift innovation in protocol design and
network management and security. It has suggested a technique to protect
the data center networks from the ARP Poisoning attack using SDN.
Proposed Algorithm is based on ARP Payload Opcode and Ethernet physical
address to know malicious nodes which are act as ARP spoofing Attack.
Algorithm work based on collecting and analyzing ARP_REQUEST
and ARP_REPLAY then maps it to the Ethernet MAC address. The proposal
algorithms implementation on RYU SDN controller. It has been testing all
the scenarios used by the ARP attackers that exploit the ARP protocol
mechanism.

3
 The proposed solution makes use of the features and characters of
SDN technology to reliably relieve both ARP_REQUEST and
ARP_REPLAY attacks with minimum latency. This solution work based on
analysis the request, replay and logic match with HW Address and DHCP
Leased Table (Key, Value), to prevent ARP Posing attacks against the
controller and doesn’t have any extra overhead in the network.

4
 GENERAL DESCRIPTION OF THE WORK
In this paper we aim to work in a possible way to recognize a most
suitable solution, analyzing all of the cases, to look to their feature and
weaknesses. In order to minimize the attempt number of ARP_REQUEST
that are being broadcast over the Network, devices (OS) hold a cache of
ARP_REPLAY from other hosts on its network. So, when a host receives
each ARP_REPLAY, it will usually update its ARP cache records with a
new pair of association entry. Note that the <IP, MAC> mapping must be
used to update the ARP cache table because the host received this
information in the ARP_REPLAY, only if that sender’s IP and (SRC_MAC)
addresses are already in the DHCP table and (SRC_MAC) is matched to
HW address.

It additionally requires no replace or change in network infrastructure,

when compared to different usual ARP spoofing solutions such as. This
solution is applied to a single controller in a local area network (LAN), it is
also can be extended to handle ARP attacks in multiple controller setups
with high availability. The proposed solution can be extended not only to
relieve ARP spoofing attacks but all kinds of (Data link layer) attacks. A
survey can be made to research how to use SDN more features by using
multi-controller and also using cloud resource to optimize and perfect
solution to complete prevent most of the Spoofing attacks on all network
layer.
The aim of the research is to form a comprehensive literature review
concerning SDN to guard the LAN Network from ARP poisoning attack
based on SDN Features.
To achieve the aim it was necessary to solve the following tasks:
5
 1. To Detect false <IP, MAC>
2. To Detect Block invalid <IP, MAC> by using DHCP
Features
3. To Filter the ARP packet and logic match to the Ethernet
header.
4. To Using the SDN Features to detect the ARP Poisoning.
5. Does not Required Continuous Traffic.
6. Suitable for large Network.
7. It additionally requires no replace or change in network
infrastructure.
8. Doesn’t have any extra overhead in the network.

Object and subject of the research:

Research Object: The goal of this thesis is to make a comprehensive
literature review concerning SDN to protect the LAN Network from ARP
poisoning attack based on SDN.
1. Research subject: Network protection using ARP analysis
algorithm in controller
Methods: Detection and Prevention Method.
The proposed method is an application over SDN RYU controller
written in python; it will prevent LAN attackers from poisoning the ARP
cache tables of other hosts present in the network. It detects and relieves
ARP_REQUEST and ARP_REPLAY spoofing attacks, the main approach
of the proposed algorithm based on the logic match.

6
 CHAPTER ONE.GENERAL INTRODUCATION

1.1 Introduction to SDN Network

while the importance of data networks has been growing altogether kind of
groups during the last ten years, also the paintings wished for network control has
emerged as more important and time-the use of/eating/drinking. The larger the
network grows the additional networking gadgets is required. Normally, every
networking device, as an example, switch, has its very own supplier-unique
operating device and setup (the set of rules for forming language). Sincerely, we
are ready to say that the controller layer and therefore the information layer are
both in one precise networking device.
Software-described networking (SDN) may be a way(s) of doing things in
computer networks, which allows the controlling of the community and therefore
the development of the newest network capabilities. As against managing every
network device one at a time thru a supplier-particular (connecting point/manner
of interacting with something), in SDN the control of the community could also
be (managed through one valuable region) to a specific SDN controller.
the essential idea of SDN is to separate the manipulate layer and (have
everything controlled by one vital area) it to 1 unmarried factor of network this
suggests that that every unmarried network device need handiest deal with facts
layer and flow facts packets from one point to another based totally on the
forwarding choices made by means of the SDN controller [1]. This way every
transfer is managed from one honestly stated/specific controller thru utility
programming (connecting point/way of interacting with something) (API) and
therefore the controller is commanded with utility layer SDN programs. The
elemental SDN (associated with the gorgeous design and construction of homes,
etc.
8
Fig 1.1 Show the SDN Layers

This gives new opportunities for designing computer networks and makes
the (control or manage/give medicine or something else) station easier than
before. The foremost distinction among SDN and therefore the earlier techniques
is that a software part going for walks on a server or a CPU is introduced to the
(associated with the gorgeous layout and production of buildings, and lots of
others.) of the network. The software element in SDN is in charge of the
manipulate aircraft of the network. It’s the motive why we are saying that SDN
disconnects the control and statistics planes, as this difference become not as
clean in previous processes.

9
1.2 Introduction to Network Security
We are uncovered to several security threats: denial of provider (DoS), scanning,
password cracking, spoofing, secretly listening in, spamming, phishing, worms, et al.,
many groups and businesses outline their network safety policy. It’s a group of rules that
need to be followed by users to stay faraway from or as a minimum lessen (something
bad) the safety threats. Technically, the coverage is usually put into use by firewalls,
invasion detection, and prevention structures (IDS, IPS) or a virtual non-public
community (VPN).
The firewall represents a fundamental level of a defense. It using to regulate the
income / outcome traffic through the network also allying multi role to controller the
network traffic.
An invasion detection and/or prevention should be carried out to satisfy two
fundamental needed things: to perceive and/or defend host computer from safety threats
inside the given community associated with internet or different networks and therefore
the other manner round, too. Inside the (assertion for dialogue/e-book written for
university professors) it's been attempted to explore all of the components of 1 of the
important protection assault made on ARP garage (of mystery things or computer
statistics).
The attacker poison the ARP garage (of secret things or computer facts) of the
host system through that/in that manner leading the redirection of records travelling to its
very own system. Then it (statistics on a digital camera or laptop) all of the statistics and
retrieves the treasured information consisting of usernames and passwords for further
harm to the important debts to get greater personal records or destroying the bills.
This (announcement for discussion/e book written for university professors)
attempts to position into use sure methods of doing things by which act of poisoning
storage (of mystery matters or laptop facts) could be prevented and detected before the
foremost lack of records. It’s clearly come to be very vital to cozy the info traveling on
the community. ARP spoofing is one of (more than, but not variety of) weaknesses (that
10
might be wont to hurt something or someone) which exist in current networking policies
of conduct, which enable an entire of data man or woman free rule over a community.
Those attacks are (as compared to different matters) simple to rent, as there are a good
quite computerized tools available, whilst any quite defense towards them is that the
lowest feasible cost.
1.3 Research Objectives

The goal of this thesis is to form a comprehensive literature review concerning

SDN to guard the LAN Network from ARP poisoning attack based on SDN
Features Now are going to be shown thesis objective:

1. Detect false <IP, MAC>.

2. Detect Block invalid <IP, MAC> by using DHCP Features.
3. Filter the ARP packet and logic match to the Ethernet header.
4. Using the SDN Features to detect the ARP Poisoning.
5. Does not Required Continuous Traffic.
6. Suitable for large Network.
7. It additionally requires no replace or change in network infrastructure.
8. Doesn’t have any extra overhead within the network.

The purpose of these is to supply with an efficient approach with the intention to
be ready to prevent and discover ARP cache poisoning. That’s carried out by way of
deploying detection and prevention algorithms to run above SDN Controller to
intimidate any wrong or unauthorized attempt to change the contents of the cache with
invalid institutions. This prevents the undesirable redirection of the facts thorough the
attacker’s machine and treasured data would not be sniffed. The algorithms works based
on evaluation ARP Packet. We delivered algorithms, first one work on the dynamic
surroundings (dynamic entries), and therefore the second paintings on the static map this
algorithm best used on statistics middle.

11
1.4Thesis Outline

The structure is as follows, Chapter 2 clarifies the overall Network Operation,

ARP Operation, clarifies the SDN concept, Open Flow protocol architecture and the way
it works, general benefits and applications of SDN Features within the Network
Security, ARP Attack Types. Chapter 3 discusses the How the ARP Poisoning attack is
work, problem definition, detection method, privation method, and implementation.
Chapter 4 is about the test scenario, result, conclusion and future work.

12
 CHAPTER TWO.THEORETICAL BACKGROUND

In this chapter, the required background information is explained so as to

apprehend the thesis’ belief. First off, popular concept approximately TCP/IP, ARP
Protocol software program-described Networking is defined and defined. This is often
followed by way of explaining its standardized protocol OpenFlow and by way of
defining the overall view of the prevailing ARP attacks and methods. Related paintings
is presented and interpreted and additionally the longer term trends and possible
challenges might be investigated

2.1 Introduction to the network

Any host within the network must be have IP Address and MAC Address to form
the communication. First one is that the MAC Address is represent media access
controller this address in burned on the NIC of every host is responsible to travel packet
from node to node. . The second is that the IP Address it's the layer three address its
logical address, so it's responsible to transmit the packet from the sender to the receiver,
the communication during this layer is host to host. The most point between the mac
address and therefore the IP address is that the “MAPPING MECHISOM” by using the
ARP Protocol are often get the mac address of reach host by using its IP Address, are
going to be discuss later. The protocols that employment within the layer two is that the
ETHERNET Protocol and within the layer three is that the IP Protocol. The packet come
from the layer three with the SRC_IP and DST_IP to the layer Two , the info link layer
will encapsulate the packet to the frame then will be add the SRC_MAC and DST_MAC
and spilt the frame to the multi frames and send it to the media.

13
 In the network they are four layers , these layer is responsible to carry the data
from the source to the destination based on these layer , each layer is responsible for
generate new information and pass this information to the next layer.

Fig 2.1 Show TCP/IP Layers

2.2 Address Resolution Protocol

The affect decision rules of conduct (ARP) became advanced to enable
communications on an internetwork and is defined by way of RFC 826. Layer three
devices want ARP to map IP community addresses to MAC hardware addresses in order
that IP packets could also be sent throughout networks. Before a tool sends a datagram
to each other tool, it seems in its ARP garage (of secret things or pc records) to see if
there are a MAC address and corresponding IP affect for the destination tool. If there is
no access, the source tool sends a broadcast message to every device at the network.
Each device compares the IP address to its personal. best the device with the matching
IP affect replies to the sending tool with a packet containing the MAC address for the
tool (except within the case of "substitute ARP"). The source device provides the
vacation spot device MAC address to its ARP table for future reference, creates a facts-
hyperlink header and trailer that mixes all of the capabilities of the packet, and cross

14
beforehand/circulate forwards to move (from one vicinity to each other) the records. The
determine underneath illustrates the ARP broadcast and response procedure.

While the vacation spot tool lies on a remote network, one past the other Layer three
tool, the way is that the identical besides that the sending device sends an ARP request
for the MAC effect of the default gateway. After the affect is settled and therefore the
default gateway gets the packet, the default gateway declares the destination IP address
over the networks connected thereto. The Layer three tool on the vacation spot tool
community uses ARP to get the MAC address of the destination device and provides the
packet.

We describe the following steps. Then we explain the six stats in which a host
operating system in a network needs to use ARP.

1. The transmitter distinguishes the logical address (IP) of the destination.

2. Sender host asks ARP to get the MAC address of the target machine, so ARP
REQUEST message is generated these message is broadcast fills as the destination
address in the layers 2 (Ethernet) header.
3. ARP REQUEST message is encapsulated in an Ethernet frame in the layer 2 of (OSI
layers), Ethernet frame will fill the header with these (SRC_MAC, SRC_IP, DST_IP
and DST MAC filled with 0s).
4. Any device receives ARP_REQUEST message, frame header contains a physical
broadcast as a destination address, and all devices remove the frame, except the target
(destination address).
5. The target device acknowledges with an ARP_REPLAY packet that contains its
(MAC address).
6. Sender device it now receives the ARP_REPLAY, and extract the (MAC address) of
the target device.
Note: An ARP_REQUEST is a broadcast message; an ARP_REPLAY is unicast
messages.
15
 2.2.1 ARP Operations
The Address Resolution Protocol uses a simple message format ARP_REQUEST
or ARP_REPLAY depends on (OPCODE). Now will be discussed with each one10and 11.
 ARP Request: ARP Protocol send a broadcast request (ARP_REQUEST) to the
target IP to get destination MAC, this request is access to all host in the networks
only one host will reply (ARP_REPLAY) with its mac address to the sender.
 ARP replay: After the host receives ARP_REQUEST will be replaying it mac
address to the sender this replay (ARP_REPLAY) will be registered in the ARP
cash of the host sender.
 ARP cache Table
It is a table stored in the Random Access Memory (RAM) of each host. Each
record in ARP cache association an <IP-MAC> address. The entrance of an ARP cache
expires after a definite period limit if the device doesn’t get any ARP messages in this
duration.

2.2.2 Static and Dynamic Entries in the ARP Cache

Static routing needs/demands a supervisor to manually enter into a table IP cope
with, subnet masks, gateways, and corresponding Media get entry to manipulate (MAC)
cope with for each (connecting factor/way of interacting with something) of each tool.
Static routing permits extra manage however needs/needs more paintings to preserve the
desk. The table must be up to date every time routes are introduced or modified. Sample
of behavior routing uses rules of behavior that enable the gadgets in a community to
change routing desk facts with each different. The desk is built and changed routinely no
(associated with dealing with and strolling an organization or corporation) tasks are
needed unless a time restrict is introduced, so active/changing routing is (producing
more with much less waste) than static routing. The default time restrict is 4 hours. If the
community has many routes that are added and deleted from the garage (of secret
matters or laptop records), the time restriction ought to be (modified to make
16
better/modified to fit new situations). The routing policies of conduct that
active/converting routing uses to learn routes, together with distance-vector and link-
country routing guidelines of behavior, are beyond the volume of/the range of this file.
2.3 Open Flow
As pointed out/stated within the preceding phase, the communication between network
gadgets and therefore the controller is treated via the southbound API of the controller.
Because the leading networking technology is that the Ethernet, the first trendy for SDN
was created to manage the controlling of Ethernet switches. OpenFlow [5] may be a
(accomplished or made to appearance an equivalent way every time) (with the aid of
ONF) regulations of conduct for SDN supported networks to address the communique
among Ethernet switches and the SDN controller. OpenFlow became got here/coming
from SANE [6] and Ethane [7], which were one of the first projects to disconnect
manipulate and records plane. OpenFlow rapidly started out to become greater famous
and as an open widespread, it developed quickly to aid an increasing number of abilities

17
to do things.

Fig 2.2 show Open Flow Architecture

OpenFlow (related to the beautiful design and creation of buildings, and so forth.) the
OpenFlow community (related to the beautiful layout and construction of homes, and so
forth.) includes 3 fundamental models:

1. OpenFlow-cooperative switches that incorporate/make up the records aircraft.

2. Manage aircraft contains/makes up one or extra OpenFlow controllers.
3. Cozy manage channel links the switches with the manage plane.

18
Verbal exchange of switches is accomplished with the hosts and with each other the use
of the facts direction software program can provide, conversation of controller with
switches is carried out with the aid of the usage of the control course as shown in
determine Secured connection is maintained between the OpenFlow controller and the
transfer by way of using SSL or TLS (related to secret pc codes) policies of behavior, in
this situation the transfer and the controller are each/collectively (identification is
validated) via replacing certificate signed by means of both facets' personal key. despite
the fact that this is a very effective protection set of laptop instructions, the controller
may be capable of be hurt via denial of provider (DoS) attack, or man inside the center
assault; this manner, true protection Practices should be put into use to stop such assaults

Fig 2.3 Show OpenFlow Connection

19
 Drift and group tables behavior of switches with facts flow coming from
extraordinary (connecting points/ways of interacting with something) (in different
words) bodily and digital. The table consists of/makes up of a hard and fast of policies,
wherein the waft of the communication information is defined. The transfer responds
upon every glide according to the regulations, these regulations are called as float
policies.

Fig 2.4 Show Flow rule table

An OpenFlow transfer consists of one or extra float tables and a set table for body
lookups and forwarding. A glide rule includes three fields:

1. Rule: Header to match with the frames of the flows. There are many supported
Ethernet headers in OpenFlow is designed to be (capable of be made longer or
more complicated), custom headers can be moreover defined. The switch best
(does/completes) a piece mask suit. Because of this, OpenFlow transfer is open
for superior non-IP traffic.

20
 2. Action: Rule is matched with site visitors; and defined that which movement must
be accomplished. These movements are also open for extensions, but a few
primary moves are already given inside the (precise description of precisely what
is required). For instance, forwarding to 1 or greater ports, forward to the
controller, drop the body, and change frame fields. In order to add the custom
designed movements the simplest wanted element is that the statistics route need
to have flexibility while supplying excessive performance and occasional cost.
3. Statistics: always whilst a drift rule is matched, the switch has to update the frame
counters, which indicates the (satisfactory of being preferred a lot or completed
lots) of a definitely stated/specific glide. Counters are to be had for each desk,
every float, all of the ports and each ready line. Moreover a timer of final activity
and a preliminary set of the waft are maintained.

An OpenFlow channel is the relationship between the transfer and the controller.
This channel is typically (become secret code) with shipping Layer protection (TLS)
rules of behavior; though, the channel can also be run by the use of simple Transmission
manage rules of conduct (TCP).

This gives a (connecting point/way of interacting with something) for the

controller to manage and (trade to make higher/trade to fit new conditions) drift and
group tables of the OpenFlow switch, Collectively, the transfer additionally components
the controller with its hardware data, the connectivity fame of ports, and meter data of
every glide rule.

The OpenFlow guidelines of conduct predefines the communication message

sample which is used whilst communicating between the controller and the transfer or
among the switches. OpenFlow channel is the connection between the switch and the
controller. OpenFlow rules of conduct predefines the conversation message pattern that's
used when speaking among the controller and the transfer or among the switches.

21
Network guidelines and services are used as OpenFlow computer applications in
OpenFlow which have interaction with the manage plane via the north-sure API

(Software programming (connecting point/way of interacting with something)) of the

manipulate aircraft. Talents to do matters of the control aircraft are used in an OpenFlow
controller which interacts with the records plane thru the OpenFlow regulations of
conduct (south-certain API).

SDN computer applications that are OpenFlow-based are evolved that use the
extremely vital network (fundamental equipment wished for a business or society to
perform) and send out and use distinct capabilities at run-time. Therefore, control of the
network visitors is moved (from one area to another) from the (primary system wished
for a business or society to perform) to the manager. Community operators will gain
high levels of community control, automation and optimization with the assist of SDN
laptop applications.

2.4 Network attacks

Community attacks had been observed to be as varied because the device that
they try and penetrate. Attacks are recognized to either be intentional or unintentional
and technically in a position intruders were interested by focused on the protocols used
for comfy verbal exchange between networking gadgets. (Reed 2003). This assessment
addresses how surprisingly sophisticated intruders are penetrating net networks despite
high tiers of security. But as the intruders increase, the network specialists are deriving
many techniques in preventing attackers from accessing agency networks.

2.4.1 Category of Security Attack.

Security chance can be separated and labeled into 4 parts and those categories are
the approaches or bureaucracy thru which threats can be executed on a community.

1. Unstructured Threats: (without guidelines, schedules, and many others.) security

chance is the sort of risk created by a green character trying to benefit get admission to
to a network. They generally use commonplace hacking equipment, like shell scripts,
22
and password crackers, an excellent protection answer have to without problems intrude
with the plans of/save you this type of attack. In different words, those styles of
computer criminals could not be underestimated because they are able to reason serious
damage to the network.

2. Established Threats: in contrast to (without rules, schedules, and so forth.) threats,

established danger computer criminals are well experienced and particularly fancy (or
smart). They use fancy (or smart) hacking gear to penetrate networks and they could
spoil into authorities or commercial enterprise computer systems to extract information.
On sure activities, established threats are completed by way of prepared criminal gangs
or industry competition.

3. Threats: some unauthorized people outdoor the organization who do now not have get
entry to the company's pc system or community may want to purpose external chance.
They typically damage into a organization’s community thru the net or server. Each
skilled and inexperienced computer criminals may want to present/cause external
threats.

4. Internal Threats: This kind of threat could be by an unhappy and angry employee who
has approved access to the company's network. Like external threats, the damage that
could be caused by such a computer criminal depends on the (ability to do things very
well).

Technically (able to do something properly/excellent) computer criminals were

able to fashion a structured assault centered at verbal exchange regulations of behavior.
The OSI version has seven layers which can be used for communique among
networking gadgets that are with weaknesses (that might be used to hurt some thing or
someone) that may be managed. essentially, better layers can't be secured even as the
decrease layers are also no longer being secured, yet over the previous couple of years
there was constrained interest to (sources of worry and stress) on the bodily layer or

23
facts hyperlink layer (despite the fact that there is the lifestyles of) changes in network
operational practice that consist of traits like nation-huge layer networks and national
and (associated with a huge region) optical networks. Now known threats at lower levels
of the OSI stack consist of ARP spoofing, MITM (man-in-the-center) assaults at layer ,
and physical layer assaults which include (allowing something to occur without reacting
or looking to stop it) optical faucets or the interception of wireless community indicators
by using attackers. While these of the pc criminal.

2.4.2 ARP Attacks

2.4.3 ARP poisoning Attack
In this thesis will be a focus on “ARP Poisoning Attack”, it is one of the ARP
Sniffing attacks, now will describe what ARP Poisoning?

ARP spoofing is a mechanism applied by attackers to execute cache poisoning by

inserting fake (IP to MAC) address mappings in victim’s ARP cache table. ARP
spoofing attack shown in various forms particularly request and response attacks. In
request attack, an attacker announces ARP_REQUEST message with rigged source <IP-
MAC> in the ARP header. When the victim receives this spoofed ARP message, it
updates its ARP cache records with the attacker’s rigged <IP-MAC> pair 13. When the
victim sends its subsequent packets destined to the rigged IP, the packets will be
destined to the MAC of the host particularly by using the attacker in the stiff < IP-MAC
> pair. This way attacker can intercept or deny the traffic sent to a user in the network.
The different form of attack is the response, in which the attacker will either reply to
regular ARP_REQUEST with forged ARP_REPLAY that maps the next hop IP to the
attacker MAC address or send spoofed ARP_REPLAY without having requests being
issued14. With ARP cache poisoning a prying can simply impersonate any other host on
its network and get whole access to sensitive records that are transferred between hosts.
The attack can easily be carried out by the attacker, simply by using some of the tools
specialized to carry out the attack 15. There are multiple types of attacks when using an
ARP protocol 16. It may make vulnerabilities and impedance to the privacy of data,
24
various schema to relieve, based on two main methods refer to (Detection and
Prevention Method). In this paper we aim to work in a possible way to recognize a most
suitable solution, analyzing all of the cases, to look to their feature and weaknesses. In
order to minimize the attempt number of ARP_REQUEST that are being broadcast over
the Network, devices (OS) hold a cache of ARP_REPLAY from other hosts on its
network. So, when a host receives each ARP_REPLAY, it will usually update its ARP
cache records with a new pair of association entry. Note that the <IP, MAC> mapping
must be used to update the ARP cache table because the host received this information
in the ARP_REPLAY, only if that sender’s IP and (SRC_MAC) addresses are already in
the DHCP table and (SRC_MAC) is matched to HW address. ARP does not keep its
action and does not review whether the ARP_REPLAY was actually related with a
request or not, before updating the pairing <IP, MAC > in the ARP cache table of the
host machine, the update executed only if these pair in the DHCP Lease table and
(SRC_MAC) are matched to HW address of Ethernet Header at layer 2, the pairing of
fake <IP –MAC>, by doing this the sensitive data transfer to the attacker’s device,
without sending any alarms to victims hosts. By using some of the tools to improve
attacker performance such as Linux, Ettercap.

Fig 2.5 Show Man in the Middle Attack Operations

25
 CHAPTER THREE.PROPOSED WORK

3.1 Overview
We will introduce the proposed detection and prevention system supported SDN
Features and characters against ARP Poisoning Attack.

This section describes the proposed algorithm and the way it works to detect and
preventing ARP Poisoning attacks. During this section, it'll be introducing two
algorithms:

The primary algorithm work supported the dynamic environment when DHCP
Server used to assign IP to the Network.

Second algorithm work supported the static environment like data center
equipment.

The proposed work based on two phases:

A- Detection Phase: this phase work to detect the ARP Poisoning attack based on the
proposed algorithm.
B- Prevention system: this phase work to prevent the attack based on administrator
rule.

3.2 Problem Definition

ARP cache poisoning occurs when an attacker Exploit the ARP mechanism to
update the ARP table with an untrusted (fake) entry. The attacker mechanism sends
26
multiple replies to the victim host that contains the hosts IP and therefore the attacker
MAC address, and therefore the victim host will accept the attacker’s replies and update
the ARP table because the ARP is a stateless protocol also using fake ARP broadcasts to
update all cache table entries within the (LAN) Topology, devices (hosts)
communicating Sensitive information might be extracted with none monitor from the
victim host. How to face this sort of attack must be executed, the simple attack process
scenario is shown in Figure 3.1 with the subsequent steps:

Fig 3.1: The DP ARP Cache Poisoning Attack.

The attacker first sends a legitimate gratuitous ARP reply to a host, The controller
implements a flow to allow this message to traverse the network to the target host.
The attacker now creates a new gratuitous ARP reply. This message maintains
details needed to traverse the flow which now exists in the network, but also contains a
modified ARP header. The source IP and hardware source address are changed in order
to poison the recipient’s ARP cache. The attacker sends this message to the target.

27
 The crafted ARP reply piggybacks on the existing flow, which conceals the traffic
from the controller. The message then reaches the host and poisons its ARP cache
with the details in the modified ARP header.
In the world of networks security, there are two methods of the Protection:
Prevention method and detection method
Prevention method attempts to prevent the appearance of the attack, while the
detection method triggers a sort of alarm when an attack is detected.

3.3Proposed Algorithm

For best security mechanism, both prevention and detection method should be
implemented to protect our network, this method implemented on SDN RYU Controller
with the open virtual switch (OVS) to connect hosts, describes the Detection System and
Prevention System according to the fowling steps:-

1. Receive Packet by SDN RYU Controller.

2. Check the Packet (Is ARP Packet or not ARP Packet).
3. If the packet is “ARP Packet” go to the Detection System Phase, to check the
Packet (it is valid ARP packet or invalid).
4. If the packet is valid ARP Packet send ARP Packet (REQUEST or REPLAY) to a
specific host.
5. If the packet is invalid ARP Packet go to the Prevention system with action (Drop,
delete Packet ID and disable switch port).

28
Fig 3.2: Detection and prevention System Process.

3.3.1 DHCP Server Operation

The DHCP protocol is used to dynamically assign IP and other network
configuration parameters to the hosts. A DHCP client will exchange messages with the
DHCP server present on the controller to get an IP address and other parameters Figure
3.3 describes the DHCP Client List.

Fig 3.3 DHCP Client List

The controller extracts the IP and MAC addresses from the DHCP header and
uses them to add an entry into the known host's list (DHCP Leased Table). This known
hosts list will keep track of all the IP addresses leased by the DHCP server, the
controller starts monitoring on each of the ports on the switches connected to it. It
also installs flow entries on the edge switches to forward ARP and DHCP lease packets
to it for analysis. When the controller receives a packet from the edge switch, it will
process according to the protocol present in the packet. ARP and DHCP packets are
handled according to the proposed logic to detect any attack.

29
 3.3.2 Detection System
Network security in SDN is perfect due to use the SDN’s features and characters
or by using programmable phase to solve security problems of SDN itself. SDN offers
us the potential to collect the required information from the network and gives a way to
analyze and discover the malicious hosts [17]. After the analysis, the network can also
be reprogrammed for implementing any protection policy.

The proposed method is an application over SDN RYU controller written in

python; it will prevent LAN attackers from poisoning the ARP cache tables of other
hosts present in the network. It detects and relieves ARP_REQUEST and
ARP_REPLAY spoofing attacks, the main approach of the proposed algorithm based on
the logic match

SDN Implementation the proposed algorithm to analysis the ARP packet, to

monitor the massive inflow of malicious packets and stops them by using installing
Open flow rules and policies.

In Detection Systems the RYU Controller will use an algorithm to detect the ARP
poisoning attack, these algorithms select the (Payload OPCODE) in the ARP packet, and
this field used to define the received packet.

When the controller receives the ARP packet, will extract the opcode to know this
is request packet or replay packet if “opcode =1” this means ARP_REQUEST packet so
the proposed algorithm will act with this packet as ARP_REQUEST, then “opcode = 2”
this is replay packet.

ARP packet encapsulates in the Ethernet frame, so the (SRC_MAC) address is

found in the ARP packet and also found in the Ethernet Frame, “Fig 3.1 show SRC-
MAC in the Ethernet header and ARP header”, the attacker tries to change the MAC
address of the ARP packet to Exploitation of weakness of ARP mechanism.

30
 MAC address in the Ethernet frame called HW address, so, the proposed
algorithm will be matching the receive (SRC_MAC) with the HW address, then next
step will match the information < ARP_SRC_ MAC, ARP_DST_MAC,

ARP_DST_IP, ARP_SRC_IP > in the ARP Packet to the DHCP Leased Table <MAC,
IP>, and Ethernet Header, Because each host received IP from DHCP will be saved in
the DHCP Leased table with some of the information such as MAC address, leased
time, etc. Fig 3.2 show Detection System scenario Work.

Fig 3.4: Detection System Process.

So any mismatch occurs in this logic this indicates packets are changing by the
attacker else it is valid ARP Packet.

This operation and logic match was applied by the SDN controller. Each packet
passes to the controller to extract the Ethernet header to extract the ARP packet. The
controller starts monitoring on each of the ports on the switches connected to it.

When RYU controller receives a packet from the Open Virtual Switch software
(OVS), it will process based on the protocol in the header.

31
 ARP is handled according to the proposed logic to detect any attack. Figure 3.5
below shows the ARP Packet encapsulate inside an Ethernet frame.

Fig 3.5 ARP Packet Encapsulate Ian inside Ethernet Frame.

3.3.3 Prevention System

Prevention system is applied when the detection system detects the malicious
packet. This phase work based on administrator rules, such as deny, permit rules, etc.

In the proposed work will be programming the controller to act with an invalid
packet with these rules:

1. Drop the packet.

2. Delete the flow entry from the flow table.
3. Diable the income port from open virtual switch.

This rules completion when the detection phase is detected invalid packet, Figure
3.6 shows the Prevention System Steps.

32
Fig 3.6: Prevention Phase Process

After completing prevention phase, the attacker can't be to communicate to any

host because the data path (Path ID) was removed from flow table and the attacker
physical port in the OVS also was disabled by the administrative rules.

Next, will be to explain the detection and prevention method based on the
flowchart to describe how the SDN Controller handles the ARP Poisoning attack.
Figure 3.4 the ARP_REQUEST Proposed Application. Figure 3.5 shows the ARP
REPLY.

We introduced two proposed flowchart:

A- Proposed Flowchart When the SDN Controller received the ARP REQUEST
Packet according to the following steps:-
1. RYU SDN controller received the ARP Packet.
2. SDN Controller will be Check the “opcode” to sort the ARP packet (REQUEST
OR REPLAY).
3. “IF OPCODE =1” so this packet is ARP REQUEST, so the controller will handle
this packet as ARP REQUEST.
4. If Destination IP in ARP Packet is the same IP in the “DHCP Leader table”
based on a pair of <MAC, IP>. If the Destination IP is not like the IP in DHCP
leaser Table, so the controller will be handling the ARP REQUEST to the
Prevention Phase.
5. If Step 4 condition return success, they will be making another condition “IF
Source MAC address in Ethernet Header is like to the Source MAC address in the
ARP Header”. If Source MAC in Ethernet isn’t like to the Source MAC in the
ARP Header.
6. If Step 5 return success, they will make another condition “IF Source IP in ARP
Header Pair with Source MAC Address in ARP Header and match this pair to the

33
 DHCP Leader table {(SRC_IP, SRC_MAC) in ARP Header} match {(SRC_IP,
SRC_MAC) in DHCP Leased Table}. if Not like, so the controller will be
handling the ARP REQUEST to the Prevention Phase.
7. If step 4, 5, 6 return success, then the controller will be updating the ARP Cache
Table.
8. End

34
Next will be showing these steps according to the Flowchart in Figure 3.7 when the
SDN Controller handles the packet as an ARP REQUEST.

Fig 3.7: how SDN Controller Handles the ARP REQUEST Based on Detection

35
 And Prevention System.
B - Proposed Flowchart When the SDN Controller received the ARP REQUEST
Packet according to the following steps:-

1. RYU SDN controller received the ARP Packet.

2. SDN Controller will be Check the “opcode” to sort the ARP packet (REQUEST
OR REPLAY).
3. “IF OPCODE =2” so this packet is ARP REPLAY, so the controller will handle
this packet as ARP REPLAY.
4. “IF Source MAC address in Ethernet Header is like to the Source MAC address
in the ARP Header”. If Source MAC in Ethernet isn’t like to the Source MAC in
the ARP Header. So the controller will be handling the ARP REQUEST to the
Prevention Phase.
5. “IF Destination MAC address in Ethernet Header is like to the Destination MAC
address in the ARP Header”. If Destination MAC in Ethernet isn’t like to the
Destination MAC in the ARP Header. So the controller will be handling the ARP
REQUEST to the Prevention Phase.
6. If Step 5 return success, they will make another condition “IF Source IP in ARP
Header Pair with Source MAC Address in ARP Header and match this pair to the
DHCP Leader table {(SRC_IP, SRC_MAC) in ARP Header} match {(SRC_IP,
SRC_MAC) in DHCP Leased Table} OR Destination IP in ARP Header Pair To
Destination MAC Address in ARP Header and match this pair to the DHCP
Leader table {(DST_IP, DST_MAC) in ARP Header} match {(DST_IP,
DST_MAC) in DHCP Leased Table}. if Not like, so the controller will be
handling the ARP REQUEST to the Prevention Phase.
7. If step 4, 5, 6 return success, then the controller will be updating the ARP Cache
Table. Next will be showing these steps according to the Flowchart in Figure 3.8
when the SDN Controller handles the packet as ARP REPLAY.

36
Fig 3.8: How SDN Controller Handles the ARP REPLY Based on Detection and
Prevention System

37
 CHAPTER FOUR.THE IMPLEMENTATION AND RESULT

4.1 Overview

This section shows how to implement the proposed algorithm within the SDN
Lab, also it'll show the SDN Simulator and the way we will establish the Open Flow
connection between the controller and switch, in otherwise it the will be processing our
Proposed work with the Wireshark program to check the present traffic status and the
way the Open Flow connection when the attacker implement the Poisoning Attack.

4.2 Virtual Machines

It is a logical conclusion that the training and study must take a crucial portion of
the effort invested within the implementation. So as to take a position these efforts and
time within the most effective way, it's usual that software developers provide tutorial
systems encapsulated in customized Virtual Machines (VM). The possibility of running
simulated machines inside real physical ones isn't new, but it still quite useful. By
creating a VM image with the OS and software that's required for a specific task, like
training into SDN, we will simplify the access to knowledge and increase the efficiency
of some processes that need to be replicated in several different machines.

In the context of this work, the VM features a relevant role within the training
part, as they're the most tools to find out provided by the developers about both Mininet
and RYU Controller. The chosen tool to run them within the project has been VMWare.
VMware may be a widely extended platform available for all main OS and used to run
VMs via GUI or via command line. Nevertheless, performing on a VM inside a foreign
machine via SSH has proven to not be the foremost reliable nor comfortable way.

38
4.3 Mininet (SDN Simulator)

Mininet is a network emulator which creates a network of virtual hosts, switches,

controllers, and links. Mininet hosts run standard Linux network software, and its
switches support OpenFlow for highly flexible custom routing and Software-Defined
Networking.
Mininet supports research, development, learning, prototyping, testing, debugging, and
any other tasks that could benefit from having a complete experimental network on a
laptop or other PC.

Mininet:

 Provides a simple and inexpensive network tested for developing OpenFlow

applications
 Enables multiple concurrent developers to work independently on the same
topology
 Supports system-level regression tests, which are repeatable and easily packaged
 Enables complex topology testing, without the need to wire up a physical
network
 Includes a CLI that is topology-aware and OpenFlow-aware, for debugging or
running network-wide tests
 Supports arbitrary custom topologies, and includes a basic set of parametrized
topologies
 is usable out of the box without programming, but
 also Provides a straightforward and extensible Python API for network creation
and experimentation

To develop a reliable testing environment we needed a stable network simulation

platform. A prominent tool in the world of network simulation is Mininet. Mininet was
39
intended to be a simulation and learning tool for networking, evolving to become one of
the main options for SDN and OpenFlow simulations and experiments.

It works as an emulation of a network build with Linux based hosts and switches
that support OpenFlow in which it is possible to create networks with custom complex
topologies allowing to experiment in an inexpensive, fast and scalable way. As seen in
the State of the Art, SDN architecture is built over a physical network used as the
infrastructure.

In the current project, we have considered more convenient to simulate this

physical network using Mininet. Its goal is to provide the basic infrastructure over which
the virtualization/emulation layer will be established.

For doing so we define a topology that matches the necessities of the project
without adding excessive complexity. Those topologies can be defined using different
methods, for our set up we have chosen to define it by using the Mininet libraries for
Python.

Getting started with Mininet (in Ubuntu) is as simple as installing via command
line from the repository and execute “$sudo mn” in a terminal, Figure 4.1 shows how
the mininet run in the Linux environment. You can add commands with instructions
such as the number of switches, hosts, and the kind of topology, etc. but at the end, it
comes easier to code it into a Python script.

Fig 4.1: How to run Mininet in Linux Operating System

40
4.4 RYU Open Flow Controller

The key element of every SDN architecture is the controller it defines the rules on
which the network is based, the main and back up routes of the packages, and enforces it
by pushing flow tables into the networking elements.

The controller also collects live information about the status, traffic, and
performance of the network in order to make it always as efficient as possible and to
change the paths in case of link saturation or drop. For the work set up, we have chosen
the RYU controller. Figure 4.2 shows the RYU SDN Framework.

RYU is a component-based software-defined networking framework. Ryu

provides software components with well-defined API that makes it easy for developers
to create new network management and control applications.

RYU supports various protocols for managing network devices, such as

OpenFlow, Netconf, OF-config, etc. About OpenFlow.

Note: RYU means "flow" in Japanese. Ryu is pronounced "ree-yooh".

41
Fig 4.2: RYU SDN Controller Framework.

4.5 Wireshark and Testing Phase

They consisted of defining different topologies and progressive tests adding

elements in each successive scenario. The tool used for evaluating their performance has
been, mainly, Wireshark.

Wireshark is an open-source packet analyzer. It allows capturing the traffic in the

interface of interest and then visualizing every packet with additional information as the
protocol used, the source or the destination.

In this work, Wireshark has been used to understand the underlying behavior of
the different elements and the interactions between them.

In order to understand the principles of working of the testing environment, we

build different topologies. This topology will be deployed in the Mininet topology.

For this tests, we will be capturing the packets with Wireshark and then filtering
the OpenFlow packets in these scenarios. The scenario is with the Mininet topology
running with the controller we will connect the topology to a remote RYU controller,

The test will be performed always in the same way:

1. Start Wireshark captures.

2. Launch required software.
3. Mininet > pingall.
4. sudo ovs-ofctl dump-flows s1.
5. Stop Wireshark captures.

42
 In the successive section, we will provide the results of the commands listed
above as well as the Wireshark captures in order to show and understand the behavior of
the different studied scenarios.

4.6 Lab Environment

We will be used the topology in Figure 4.3 as a test scenario for the proposed
algorithm in the SDN Topology.

The scenario content:

1. RYU SDN Controller: is a component-based software-defined networking

framework. RYU provides software components with well-defined API that makes it
easy for developers to create new network management and control applications.
2. Open vSwitch: Open vSwitch is a production quality, multilayer virtual switch
licensed under the open source.  It is designed to enable massive network automation
through programmatic extension, while still supporting standard management
interfaces and protocols.
3. End User: An end user is a person that a software program or hardware device is
designed for. The term is based on the idea that the "end goal" of a software or
hardware product is to be useful to the consumer

43
 Fig 4.3: Proposed Topology Scenario
Topology content three hosts (host 1, host 2 and host 3) with IP address (10.1.1.1,
10.1.1.2, 10.1.1.3), host 1 will act as an attacker node, this node will listen to the other
node, host 2 and host 3 this node is the victim node.

In this experiment, a minimum topology is built and deployed with Mininet.

Composed by only one switch and three hosts connected, its purpose is to be sure that
all the parts perform as expected.

Next, will be create the scenario topology (one switch and three host) based on Mininet
Simulation, will be used this command “it@ubuntu:~$ sudo mn
--controller=remote,ip=127.0.0.1 --mac -i 10.0.0.0/24
--switch=ovsk,protocols=OpenFlow13 --topo=single,3”

This command is used to build the topology with the flowing requirement:-

1. The network address of the topology is 10.0.0.0/24.

2. Switch NOS is Open Virtual Switch.
3. SDN Controller Server IP is 127.0.0.1 (Localhost IP).
4. OpenFlow Protocol Version 3.

44
 5. Topology Diagram is single topology
6. Topology diagram shown in Figure 4.4.

Fig 4.4 Proposed Topology based on Mimnet Simulation.

4.6.1 First scenario: Simple Topology without RYU Controller

In this scenario, the host in the topology cannot communicate with each other
because of no OpenFlow table, in otherwise, no SDN controller implemented in this
scenario. No OpenFlow packets captured, no visibility between hosts and no flow table
on the switch. This makes sense as no one is pushing OpenFlow commands into the
switch. Figure 4.5 Show the Test Scenario Result without SDN, it will be used ICMP
Protocol to test host connectivity.

Fig 4.5: Scenario Test without SDN Controller with No Response from the Hosts.

45
 4.6.2
4.6.2
4.6.2
4.6.2
4.6.2
4.6.2
S
econd scenario: Simple Topology with RYU Controller.

In this second scenario, we find that the remote controller works as expected and
push a flow table into the switch and, in doing so, allowing the hosts to see each other,
in otherwise in this scenario the SDN controller building the OpenFlow table and set up
the secure connection between the hosts to see each one. Figure 4.6 Show the host
connectivity after implemented RYU Controller to the scenario. Using ICMP Protocol to
test the Host Connectivity. ICMP Protocol Result (No Packet Dropping).

Fig 4.6: Scenario Test with SDN Controller.

Also will see the open flow table in Figure 4.7 show the Flow Table because the
SDN Controller will be set up the rules and policy of each host in the topology such as
income port, duration, cookies, tables number, etc.

Flow-Table: The basic building block of the logical switch architecture is the
flow table. Each packet that enters a switch passes through one or more flow tables.
Each flow table contains entries consisting of six components:

 Match Fields: Used to select packets that match the values in the fields.

 Priority: Relative priority of table entries.

 Counters: Updated for matching packets. The OpenFlow specification defines a

variety of timers. Examples include the number of received bytes and packets per port,

46
 per-flow table, and per flow-table entry; the number of dropped packets; and duration
of a flow.

 Instructions: Actions to be taken if a match occurs.

 Timeouts: Maximum amount of idle time before a flow is expired by the switch.

 Cookie: Opaque data value chosen by the controller. May be used by the

controller to filter flow statistics, flow modification, and flow deletion; not used when
processing packets.

Fig 4.7: Flow Table Entry on Switch S1 in the Proposed Work.

4.6.3 Mininet Host Implementation

In this section will show the attacker without proposal solution, will be used the
Ettercap tool to generate the attack under the mininet topology and Linux operating
system.

47
 Ettercap tool: Ettercap is a comprehensive suite for man in the middle attacks. It
features sniffing of live connections, content filtering on the fly and many other
interesting tricks. It supports active and passive dissection of many protocols and
includes many features for network and host analysis.

Mininet: is a network emulator which creates a network of virtual hosts, switches,

controllers, and links. Mininet hosts run standard Linux network software, and its
switches support OpenFlow for highly flexible custom routing and Software-Defined
Networking.

4.6.3.1 Create SDN Topology

Firstly, must be to create “SDN Topology” , So will be using this Command
“it@ubuntu:~$ sudo mn --controller=remote,ip=127.0.0.1 --mac -i 10.0.0.0/24
--switch=ovsk,protocols=OpenFlow13 --topo=single,3”

The Previous command is used to build the topology with the flowing requirement:-

1- The network address of the topology is 10.0.0.0/24.

2- Switch NOS is Open Virtual Switch.
3- SDN Controller Server IP is 127.0.0.1 (Localhost IP).
4- OpenFlow Protocol Version 3.
5- Topology Diagram is a single topology.
6- Figure 4.8 Show the Command Result.

48
 Fig 4.8: Single Topology Node (H1, H2, H3, C0, and S1).

 Enter to the Host Mode This step helps us to show the host parameter such as the IP
address and MAC address for each node, will be used the flowing command “xterm h1
h2 h3” to enter the host mode this command run inside mininet CLI. The result of the
xterm command shown in Figure 4.9.

Fig4.9: The Result of Xterm Command.

 Check the Connectivity Between Hosts by Using ICMP Protocol.

To check the connectivity between the host will be used the Internet Control
Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is
used by network devices, including routers, to send error messages and operational
information indicating, for example, that a requested service is not available or that a
host or router could not be reached. Figure 4.10 Show the Result of ICMP protocol
“pingall” command.

49
Fig 4.10: Result of the Host’s Connectivity.

 Show the ARP Cache Table of Each Host.

The following the ARP Cache Table Before ARP posing attack Implantation. This
Table content the (IP Address, MAC Address, Physical Interface) For Each node in our
Topology.

To show the ARP Cache table to each host must be run firstly “xterm” command
to show the host mode of each host “Figure 4.9 show the xterm command”. After that
must be run the “arp-a” in each host to show the ARP cache table. Figure 4.11 Show
the ARP Cache Table Result for Each Host.

Fig 4.11: The ARP Cache Table of (H1, H23, and H3).

50
 Note: Each host need to communicate with another host must ask the ARP Table
about the MAC Address of the Next Hop node, for example H1 need to communicate
with H2, H1 must ask the ARP Cache table to get the mac address of the H2, If the
MAC Address of the H2 isn’t Found in the ARP Table Of H1, H1 must be sent
ARP_Request To get the MAC Address of H2.

4.6.3.2 ARP Attack Implementation.

In this section it will be shown how to create the ARP Attack by using Ettercap
Tool, in our Topology H1 is The Attacker Node, H2 and H3 is the victim's node.H1 will
be to run the Ettercap to change the ARP Table of the H2, H3 By using this command
“Ettercap –T –W test. pcap –M ARP /10.1.1.2// /10.1.1.3//”, Figure 4.12 Show the
Ettercap command.

Fig 4.12: How the Ettercap Poisoning the ARP Table.

After run previous command in host mode of the H1, the result is:

1. Poisoning ARP Cache table for (H2, H3).

2. Will save analyzer file for the attack operation in the “test. pcap” this file is
Wireshark file.
3. 10.1.1.2 And 10.1.1.3 these IP address of the victim's hosts.
4. “Ettercap –T –W test.pcap –M ARP /10.1.1.2// /10.1.1.3//” this command run
inside host mode of the H1 shows the result of poisoning by using Ettercap.
5. The result of this command will change the MAC address of H2, H3 with the
MAC Address of H1. This Process makes all traffic Go through the H1, For
Example, H2 need to send “Hello Message” To H3, This message will be sent to
the H1 and H3 because H1 change its MAC with the same MAC of H3, in other
51
 Wise in our Network Two Mac with the same Address. Figure 4.13 Show ARP
Cache Poisoning for H2 and H3.

Fig 4.13: Result of the Poisoning Command of Ettercap

52
Fig 4.14: ARP Table after Poisoning Attack Implementation

4.7 Proposal Algorithm implementation

In this Section will be run the Proposal Solution to prevent the ARP Cache
Posing. The proposed algorithm was written by using Python Programming Language
and run above RYU SDN Controller, will be divided the completion of the proposed
algorithm to multi-steps:

 Before running The Algorithm must be established the SDN Connection

Between the controller and Data plane, Open flow protocol used to establish the
connection between the controller and the data plan.

B- OpenFlow Connection Establishment.

The following show how to establish the OpenFlow connection between mininet
nodes and the RYU Controller. To establish the connection between the controller and
data plane there is multiple messages between the controller and data plane switches
must be exchanged, Figure 4.16 shows the OpenFlow messages, Figure 4.14 shows the
OpenFlow connection command “Ryu-manager simple switch.py”.The details of the
following command “ryu-manager simple switch.py” are:-

1- Ryu-manager: - it is SDN Controller.

2- Simpleswitch.py: it is a python file.
This file written by using python language file content function of the OpenFlow such
as the OpenFlow messages, it used to establish the connection between the controller
and data plane.

53
 T h i s c o d e i s

to establishment open flow protocol, Figure 4.15 Show how OpenFlow Protocol run
inside mininet Simulation.

Fig 4.15: How to Run Open Flow Protocol.

Next will be analysis the packet traffic after established OpenFlow connection.
The traffic details are:

1. Source MAC address of the Transmitter.

2. Destination MAC of the Transmitter.
3. Path ID of the Flow entry.
4. A number of the Packet Outgoing.
5. Figure 4.16 Show OpenFlow Connection Details.

Figure 4.16: OpenFlow Traffic between the Hosts

When the open flow connection is established there is multiple messages between
the controller and data plane. Figure 4.17 shows the messages Exchanges between the
controller and Switches.
54
 Fig 4.17: OpenFlow Messages.

Next will show the messages exchanges by using Wireshark Program to analysis
the current traffic between the hosts, Figure 4.18 Show the current connection between
the hosts and the messages between the controller and switches.

Fig 4.18: OpenFlow Message between the Controller and Open Virtual Switch on the
Proposed Topology

 Now will test the connectivity between the hosts under the ping command based on
OpenFlow connection.

55
 To check the connectivity between the host will be used the Internet
Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol
suite. It is used by network devices, including routers, to send error messages and
operational information indicating, for example, that a requested service is not
available or that a host or router could not be reached, Figure 4.19 shows the
result of the ICMP protocol.

Fig 4.19: Connectivity Test between the Hosts under OpenFlow Connection

 Algorithm Implementation under the RYU Controller with Detection and

prevention Phase.

In this section it will show how the algorithm detects the attacker and drop the
traffic of the attacker path, before the running of the algorithm will show the attacker
connection log before the implementation of the algorithm, and analysis the log details,
Figure 4.20 shows the attacker log details before implementing the algorithm.

Fig 4.20: log Connection when Implementation the Attacker without Proposal
Algorithm.
56
The Log details are:

1. Source MAC address and Destination MAC address.

2. Path ID of flow entry.
3. OP code number (1 OR 2).1 for AEP REQUEST, 2 for ARP REPLAY.
4. The IP address and switch port number for this IP.
5. Error about ARP Poisoning Attack when the attack is run the Ettercap
command.
6. Remove the path ID and disable switch Port Number when the attacker is
detected.
7. the log shows us the IP and path id for the attacker
8. finally, show how the Algorithm Detects the attacker and detect the Flow
Entry.

Now will show the attacker connection log and how the algorithm detects the
attacker, Figure 4.21 shows the log details under the proposed algorithm

57
Fig 4.21: Show how the Algorithm Detects the Attacker and Delete the Flow Entry.

4.8Scenario Result
Two different attack scenarios are created to verify the attack mitigation.
Detection and Prevention Method of ARP Poisoning based on a proposed algorithm.

To execute the Scenario tests, apply an ARP spoofing attack by using the software
on (Host 1) called Ettercap. To generate spoofed ARP request and reply traffic. ARP
request attack, ARP reply attack, is the attack scenarios tested in this section, now will
study two cases: -

ARP request attack: - The first form of ARP spoofing attack is the ARP request
attack. This is exploited by sending a storm of spoofed AR requests to go into the
network to poison the victim’s ARP cache. The victim host will not be able to
communicate with others in the network until its cache gets refreshed. When we run the
proposed mitigation solution on the controller, it will detect the requested attack at the
switch on which the attacker is connected and installs a flow entry to drop packets
coming from the attacker’s port. This way, attacker’s packers are filtered at the switch
nearest to him, thereby protecting the entire network.

ARP reply attack: - ARP reply attack is another type of spoofing attack similar
to the requested attack. Here, the cache of the victim is poisoned by the unsolicited ARP
replies sent by an attacker with a spoofed identity.

58
 CHAPTER FIVE.CONCLUSIONS AND FUTURE WORK

5.1 Conclusions

Software-defined networking is a new concept to manage and configure computer

networks. The main idea of the SDN concept is to separate the controlling layer of the
computer network from the network switches and centralize it to the SDN controller.
That concept differs from the traditional networks where the network controlling and
forwarding decisions are handled in the network switches where also the forwarding
function is performed. The centralized management brings a new way to control
network functionality with one single application instead of configuring tens or
hundreds of devices independently.

5.2 GENERAL CONCLUSION

In this thesis, the SDN concept is considered especially from the perspective of
network security and security improvements are explored. There is a lot of research done
on this topic and also a lot of the concepts, frameworks or solutions are proposed for
enhanced security but still more research needs to be done. Also, the network vendors
should invest more into the SDN development, so there will be more comprehensive
solutions available in the market.

In this thesis, a solution to ARP spoofing problem based on Software-Defined

Networks is proposed. We started with a discussion of the main differences between
traditional and Software-Defined Networks and then focused on security concerns for
these networks. The proposed solution makes use of the features and characters of SDN
technology to reliably relieve both ARP_REQUEST and ARP_REPLAY attacks with
minimum latency. This solution work based on analysis the request, replay and logic
match with HW Address and DHCP Leased Table (Key, Value), to prevent ARP Posing
59
attacks against the controller and doesn’t have any extra overhead in the network. It
additionally requires no replace or change in network infrastructure, when compared to
different usual ARP spoofing solutions such as. This solution is applied to a single
controller in a local area network (LAN), it is also can be extended to handle ARP
attacks in multiple controller setups with high availability.

Table 5 Shows Different Usual ARP Spoofing Solutions Compared with the
Proposed Solution.

scheme Machoism pros-cons

XArp[19] Detects false <IP, MAC> bindings Detection requires continuous
traffic monitoring.
Snort [20] Detects false <IP, MAC> Free but generates a large
bindings. number of alarms thereby.
Static Used static ARP Entry Not suitable for large Network
ARP
Entries
[12]
Dynamic Blocks the invalid <IP, MAC> Very high cost make this
ARP bindings using a feature DHCP solution ineffective.
Inspectio Snooping.
n [40]
ARP Filters network packets and alarms Free but requires somebody
Watch when the rule set is offered. dealing with these events to
[36] handle a large number of
alarms
Proposal 1. Detect false <IP, MAC> 1. Does not Required
Solution 2. Block invalid <IP, MAC> Continuous Traffic.
by using DHCP Features 2. Suitable for large
3. Filter the ARP packet and Network.
60
 logic match to the Ethernet
header.
4. Using the SDN Features to
detect the ARP Poisoning
3. It additionally requires
no replace or change in
network infrastructure
4. doesn’t have any extra
overhead in the network

5.3 Future Work

The proposed solution can be extended not only to relieve ARP spoofing attacks
but all kinds of (Data link layer) attacks. A survey can be made to research how to use
SDN more features by using multi-controller and also using cloud resource to optimize
and perfect solution to complete prevent most of the Spoofing attacks on all network
layer. In the multi-controller, the failover cluster will be used to load the traffic between
the nodes also will be used another proposed algorithm to detect another Spoofing attack
on SDN.

Also, will be used the SDN to Protect the cloud and Data Center, because the
cloud and data center with one centralization control become more secure.

Important SDN security in future work:

1. Secure the Controller: as the centralized decision point, access to the SDN

Controller needs to be tightly controlled.
2. Protect the Controller: if the SDN Controller goes down (for example, because of
a DDoS attack), so goes the network, which means the availability of the SDN
Controller needs to be maintained.
3. Establish Trust: protecting the communications throughout the network is critical.
This means ensuring the SDN Controller, the applications loaded on it, and the
devices it manages are all trusted entities that are operating as they should.

61
4. Create a Robust Policy Framework: what’s needed is a system of checks and
balances to make sure the SDN Controllers are doing what you actually want them
to do.
5. Conduct Forensics and Remediation: when an incident happens, you must be able
to determine what it was, recover, potentially report on it, and then protect against
it in the future.

REFERENCES

1. “TCP_IP Protocol Suite 4th ed. - B. Forouzan (McGraw-Hill, 2010) BBS.”

62
 2. O.N.F., “Software-defined networking: The new norm for networks,” ONF
White Pap., 2012.
3. F. Ieee et al., “Software-Defined Networking : A Comprehensive Survey,”
Proc. IEEE, vol. 103, no. 1, pp. 14–76, 2015.
4. W. L. R. on A. of N. S. [J]. C Bing, 38(7):138-140. Computer Engineering
and Applications, 2002, and DOI:10.3321/j.issn:1002-8331.2002.07.047, “No
Title.”
5. “Nam S Y, Kim D, Kim J 2010 Enhanced ARP: Preventing ARP
Poisoning-Based Man-in-the-Middle Attacks 14(2) 187–9.”
6. “V. Goyal and V. Abraham ‘ An efficient Solution to the ARP cache
poisoning problem’, in Proceedings of 10th Australasian Conference on Information
Security and Privacy, Jul 2013, pp 40-51.”
7. “H. S. Kang, J. H. Son, and C. S. Hong, ‘Defense technique against
spoofing attacks using reliable arp table in cloud computing environment,’ in
Network Operations and Management Symposium (APNOMS), 2015 17th Asia-
Pacific. IEEE, 2015, pp. 592–595.”
8. di Lallo, Roberto, et al. "How to handle ARP in a software-defined
network." NetSoft Conference and Workshops (NetSoft), 2016 IEEE. IEEE, 2016
9. “D.Bruschi, A. Ornaghi and E.Rosti, ‘S-Arp, A secure Address Resolution
Protocol,’ in Computers Society Applications Conference, Proceedings, 19th
Annual, IEEE, pp. 66-74, 2003.”
10. Masoud, Mohammad Z., Yousf Jaradat, and Ismael Jannoud. "On
preventing ARP poisoning attack utilizing Software Defined Network (SDN)
paradigm." Applied Electrical Engineering and Computing Technologies (AEECT),
2015 IEEE Jordan Conference on. IEEE, 2015.
11. H. C.-T. A. secure address resolution protocol. C. N. 2003;41(1):57–71.
Gouda MG, “No Title.”

63
 12. C. pp. 22–29 Abad CL, Bonilla RI. An analysis on the schemes for
detecting and preventing ARP cache poisoning attacks. Proceeding of the 27th
International Conference on Distributed Computing Systems Workshops (ICDCSW
’07); June 2007; Toronto, “No Title.”
13. di Lallo, Roberto, et al. "How to handle ARP in a software-defined
network." NetSoft Conference and Workshops (NetSoft), 2016 IEEE. IEEE, 2016.
14. W. Lootah, W. Enck, and P. McDaniel, Tarp: Ticket based address
resolution protocol vol. 51, no. 15. Elsevier, 2007, pp. 4322 - 4337. .
15. “Abad CL, Bonilla RI. An analysis on the schemes for detecting and
preventing ARP cache poisoning attacks. Proceeding of the 27th International
Conference on Distributed Computing Systems Workshops (ICDCSW ’07); June
2007; Toronto, Canada. pp. 22–29.”
16. Schneider, Fabian, Roberto Bifulco, and Anton Matsiuk. "Better ARP
handling with InSPired SDN switches." Local and Metropolitan Area Networks
(LANMAN), 2016 IEEE International Symposium on. IEEE, 2016.”
17. “Ma, Huan, et al. "SDN-Based ARP Attack Detection for Cloud Centers."
Ubiquitous Intelligence and Computing and 2015 IEEE 12th Intl Conf on
Autonomic and Trusted Computing and 2015 IEEE 15th Intl Conf on Scalable
Computing and Communications and Its Associated Workshops (UIC-ATC-
ScalCom), 2015 IEEE 12th Intl Conf on. IEEE, 2015.”
18. “W. R. Stevens, TCP/IP Illustrated, Vol. 1: The Protocols, AddisonWesley
Professional Computing Series, 1994.”
19. “An In Introduction to TCPIIP for Embedded Engineers, Thomas F,
Embedded System Conference, San Francisco, 2002, 350-370.,” .
20. “Adam Dunkels. Full TCP/IP for 8-bit architectures, Proceedings of the 1
st international conference on Mobile systems[C], California: ACM, 2003, 85-98.”
21. “Li Dongxia, Su Guangchuan. Programming Technology of ARP in Linux
System[J],Computer Applications,2001,pp:123-125.”
64
 22. “Cox. B, How does ARP work, 2005.”
23. “ChristophP. Mayer, ‘Advanced ARP Detection: XArp’, Retrievedfrom:
http://www.securityfocus.com/tools/6908.”
24. “Hou X, Jiang Z, Tian X 2010 The detection and prevention for ARP
Spoofing based on Snort In Proceedings of Computer Application and System
Modeling, IEEE Int. Conf. V5-137-V5-139.”
25. “Nick Feamster, Jennifer Rexford, and Ellen Zegura, ‘The Road to SDN,’
Queue, vol. 11, no. 12, pp. 20/21, Dec. 2013.”
26. “JIANG Guolong, FU Binzhang, CHEN Mingyu, et al, Survery and
quantitative analysis of SDN controller, Journal of Frontiers of Computer Science
and Technology, 8(0):1-000, 2014.”
27. “Open Networking Fundation, Software-Defined Networking: The New
Norm for Networks, ONF White Paper, Apr. 2012.”
28. “M. Monaco, O. Michel and E. Keller, ’ ‘Applying Operating System
Principles to SDN Controller Design,’ Proceedings of the Twelfth ACM Workshop
on Hot Topics in Networks, ACM, 2013, pp. 2.”
29. “R. Khondoker, A. Zaalouk, R. Marx and K. Bayarou, ’ ‘Featurebased
comparison and selection of Software Defined Networking (SDN) controllers,’
Computer Applications and Information Systems (WCCAIS), 2014 World Congress
on, pp. 1-7.”
30. “A. Shalimov, D. Zuikov, D. Zimarina, V. Pashkov and R. Smeliansky, ’
‘Advanced study of SDN/OpenFlow controllers,’ Proceedings of the 9th Central &
Eastern European Software Engineering Conference in Russia, ACM, 2013, pp. 1.”
31. “Y. Jarraya, T. Madi, and M. Debbabi, ‘A survey and a layered taxonomy
of software-defined networking,’ IEEE Communications Surveys Tutorials, vol. 16,
no. 4.”

65
 32. “Fei Hu, Qi Hao and Ke Bao, ’ ‘A Survey on Software-Defined Network
and OpenFlow: From Concept to Implementation,’ Communications Surveys &
Tutorials, IEEE, vol. 16, no. 4, pp. 2181-2206, Jan. 2014.”
33. “M.P. Fernandez, ’ ‘Comparing OpenFlow Controller Paradigms
Scalability: Reactive and Proactive,’ Advanced Information Networking and
Applications (AINA), 2013 IEEE 27th International Conference on, pp. 1009-1016.”
34. “D. G. Morrillo, «Implementacion de un prototipo de una Red Definida por
Software (SDN) empleando una solucion basada en software software,» 2014.”
35. “R. Kloeti, ‘OpenFlow: A Security Analysis,’ April 2013. [Online].
Available: ftp://yosemite.ee.ethz.ch/pub/students/ 2012-HS/MA-2012-20
signed.pdf.”
36. D. Bruschi, A. Ornaghi, and E. Rosti, “S-ARP: A secure address resolution
protocol,” Proc. - Annu. Comput. Secur. Appl. Conf. ACSAC, vol. 2003–Janua, pp.
66–74, 2003.
37. “S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, ‘Threat modeling-
uncover security design flaws using the stride approach,’ MSDN Magazine-
Louisville, pp. 68–75, 2006.”
38. “D. Li, X. Hong, and J. Bowman, ‘Evaluation of Security Vulnerabilities
by Using ProtoGENI as a Launchpad,’ in Global Telecommunications Conference
(GLOBECOM 2011). IEEE, 2011, pp. 1–6.”
39. W. Lootah, W. Enck, and P. McDaniel, “TARP: Ticket-based address
resolution protocol,” Comput. Networks, 2007.
40. I. Conference, “A Survey on Comparative Analysis of Tools for the
detection of ARP Poisoning,” 2017.
41. “Jaideep Singh, Goldendeep Kaur, Dr. Jyoteesh Malhotra, ‘A
Comprehensive Survey of Current Trends and Challenges to mitigate ARP attacks’,
In proceedings of 1st International Conference on Electrical, Electronics, Signals
and Optimization, ISBN: 978-1-4799.”
66
 42. “N Baharudin , F Ali, M Darus, and N Awang, ‘Wireless Intruder
Detection System (WIDS) in Detecting De-Authentication and Disassociation
Attacks in IEEE 802.11’, Faculty of Computer and Mathematical Sciences,
Universiti Teknologi MARA, 2015.”
43. “Sudhakar(&) and R.K. Aggarwal A Security Approach and Prevention
Technique against ARP Poisoning Springer International Publishing ICTIS 2017.”
44. “Fyffe, George. Addressing the Insider Threat. Network Security.
Mar.2008: Science Direct. Web. 25 June. 2011.”
45. “S. Kumar and S. Tapaswi, ‘A centralized and prevention technique
against ARP poisoning,’ IEEE International Conference of Cyber Security Warfare
and Digital Forensic, pp. 259-26, 2012.”
46. “Cisco Systems. Configuring Dynamic ARP Inspection,chapter 39, pages
39:1–39:22. 2012. Catalyst 6500 Series Switch Cisco IOS Sofware Configuration
Guide, Release 12.2SX.”

67