Professional Documents
Culture Documents
Development of An SDN Controller For Security Against An "Man-In-Middle" Attack
Development of An SDN Controller For Security Against An "Man-In-Middle" Attack
EDUCATIONAL INSTITUTION
« YANKA KUPALA STATE UNIVERSIRY OF GRODNO »
Scientific advisor
Yauheny Alizarovich,
Head of information and
analytical center,
Ph.D. in technique,
Association professor
Approved for protection
_______
(Date)
________/L.V.Rudikova
(Full name and signature of the head of the department)
Grodno, 2020
CONTENTS
INTRODUCTION...........................................................................................3
GENERAL DESCRIPTION OF THE WORK...............................................5
CHAPTER ONE.GENERAL INTRODUCATION........................................8
1.1 Introduction to SDN Network...............................................................................8
1.2 Introduction to Network Security.........................................................................9
1.3 Research Objectives............................................................................................11
1.4 Thesis Outline.....................................................................................................11
CHAPTER TWO.THEORETICAL BACKGROUND.................................13
2.1 Introduction to the network.................................................................................13
2.2 Address Resolution Protocol...............................................................................14
2.2.1 ARP Operations...........................................................................................16
2.2.2 Static and Dynamic Entries in the ARP Cache............................................16
2.3 Open Flow...........................................................................................................17
2.4 Network attacks...................................................................................................21
2.4.1 Category of Security Attack........................................................................21
2.4.2 ARP Attacks................................................................................................23
2.4.3 ARP poisoning Attack.................................................................................23
CHAPTER THREE.PROPOSED WORK....................................................25
3.1 Overview.............................................................................................................25
3.2 Problem Definition..............................................................................................25
3.3 Proposed Algorithm............................................................................................27
3.3.1 DHCP Server Operation..............................................................................28
3.3.2 Detection System.........................................................................................28
3.3.3 Prevention System.......................................................................................31
CHAPTER FOUR.THE IMPLEMENTATION AND RESULT..................36
4.1 Overview.............................................................................................................36
4.2 Virtual Machines.................................................................................................36
4.3 Mininet (SDN Simulator)....................................................................................37
4.4 RYU Open Flow Controller................................................................................39
1
4.5 Wireshark and Testing Phase..............................................................................40
4.6 Lab Environment.................................................................................................41
4.6.1 First scenario: Simple Topology without RYU Controller..........................43
4.6.2 Second scenario: Simple Topology with RYU Controller..........................43
4.6.3 Mininet Host Implementation......................................................................45
4.7 Proposal Algorithm implementation...................................................................51
4.8 Scenario Result...................................................................................................56
CHAPTER FIVE.CONCLUSIONS AND FUTURE WORK......................57
5.1 Conclusions.........................................................................................................57
5.2 GENERAL CONCLUSION...............................................................................57
5.3 Future Work........................................................................................................59
REFERENCES..............................................................................................61
2
INTRODUCTION
The relevance of the research. Today, a network security has
become a very important and main point in all technologies. Network
security is the most important concern for any network administrator. One of
the security problems affecting networks is Address Resolution Protocol
(ARP) attacks. ARP Protocol is accepting a logical address from the Internet
Protocol (IP), resolves the IP address to the corresponding physical Media
Access Control (MAC) address and passes it to the layer 2 (Data link layer).
ARP maps a logical IP address with its physical MAC address. On a typical
physical LAN, each device on the network is identified by a physical MAC
address that is usually burned on the Network Card (NIC). ARP Poisoning
attack targets the Address Resolution Protocol (ARP) mapping to redirect
the network flow to the attacker host, such as a Man in the Middle Attack
(MITM) attack in a LAN Network.
In this thesis, a proposed algorithm work based on Software Defined
Networks (SDN) has been suggested. SDN provides network
programmability and developed swift innovation in protocol design and
network management and security. It has suggested a technique to protect
the data center networks from the ARP Poisoning attack using SDN.
Proposed Algorithm is based on ARP Payload Opcode and Ethernet physical
address to know malicious nodes which are act as ARP spoofing Attack.
Algorithm work based on collecting and analyzing ARP_REQUEST
and ARP_REPLAY then maps it to the Ethernet MAC address. The proposal
algorithms implementation on RYU SDN controller. It has been testing all
the scenarios used by the ARP attackers that exploit the ARP protocol
mechanism.
3
The proposed solution makes use of the features and characters of
SDN technology to reliably relieve both ARP_REQUEST and
ARP_REPLAY attacks with minimum latency. This solution work based on
analysis the request, replay and logic match with HW Address and DHCP
Leased Table (Key, Value), to prevent ARP Posing attacks against the
controller and doesn’t have any extra overhead in the network.
4
GENERAL DESCRIPTION OF THE WORK
In this paper we aim to work in a possible way to recognize a most
suitable solution, analyzing all of the cases, to look to their feature and
weaknesses. In order to minimize the attempt number of ARP_REQUEST
that are being broadcast over the Network, devices (OS) hold a cache of
ARP_REPLAY from other hosts on its network. So, when a host receives
each ARP_REPLAY, it will usually update its ARP cache records with a
new pair of association entry. Note that the <IP, MAC> mapping must be
used to update the ARP cache table because the host received this
information in the ARP_REPLAY, only if that sender’s IP and (SRC_MAC)
addresses are already in the DHCP table and (SRC_MAC) is matched to
HW address.
6
CHAPTER ONE.GENERAL INTRODUCATION
while the importance of data networks has been growing altogether kind of
groups during the last ten years, also the paintings wished for network control has
emerged as more important and time-the use of/eating/drinking. The larger the
network grows the additional networking gadgets is required. Normally, every
networking device, as an example, switch, has its very own supplier-unique
operating device and setup (the set of rules for forming language). Sincerely, we
are ready to say that the controller layer and therefore the information layer are
both in one precise networking device.
Software-described networking (SDN) may be a way(s) of doing things in
computer networks, which allows the controlling of the community and therefore
the development of the newest network capabilities. As against managing every
network device one at a time thru a supplier-particular (connecting point/manner
of interacting with something), in SDN the control of the community could also
be (managed through one valuable region) to a specific SDN controller.
the essential idea of SDN is to separate the manipulate layer and (have
everything controlled by one vital area) it to 1 unmarried factor of network this
suggests that that every unmarried network device need handiest deal with facts
layer and flow facts packets from one point to another based totally on the
forwarding choices made by means of the SDN controller [1]. This way every
transfer is managed from one honestly stated/specific controller thru utility
programming (connecting point/way of interacting with something) (API) and
therefore the controller is commanded with utility layer SDN programs. The
elemental SDN (associated with the gorgeous design and construction of homes,
etc.
8
Fig 1.1 Show the SDN Layers
This gives new opportunities for designing computer networks and makes
the (control or manage/give medicine or something else) station easier than
before. The foremost distinction among SDN and therefore the earlier techniques
is that a software part going for walks on a server or a CPU is introduced to the
(associated with the gorgeous layout and production of buildings, and lots of
others.) of the network. The software element in SDN is in charge of the
manipulate aircraft of the network. It’s the motive why we are saying that SDN
disconnects the control and statistics planes, as this difference become not as
clean in previous processes.
9
1.2 Introduction to Network Security
We are uncovered to several security threats: denial of provider (DoS), scanning,
password cracking, spoofing, secretly listening in, spamming, phishing, worms, et al.,
many groups and businesses outline their network safety policy. It’s a group of rules that
need to be followed by users to stay faraway from or as a minimum lessen (something
bad) the safety threats. Technically, the coverage is usually put into use by firewalls,
invasion detection, and prevention structures (IDS, IPS) or a virtual non-public
community (VPN).
The firewall represents a fundamental level of a defense. It using to regulate the
income / outcome traffic through the network also allying multi role to controller the
network traffic.
An invasion detection and/or prevention should be carried out to satisfy two
fundamental needed things: to perceive and/or defend host computer from safety threats
inside the given community associated with internet or different networks and therefore
the other manner round, too. Inside the (assertion for dialogue/e-book written for
university professors) it's been attempted to explore all of the components of 1 of the
important protection assault made on ARP garage (of mystery things or computer
statistics).
The attacker poison the ARP garage (of secret things or computer facts) of the
host system through that/in that manner leading the redirection of records travelling to its
very own system. Then it (statistics on a digital camera or laptop) all of the statistics and
retrieves the treasured information consisting of usernames and passwords for further
harm to the important debts to get greater personal records or destroying the bills.
This (announcement for discussion/e book written for university professors)
attempts to position into use sure methods of doing things by which act of poisoning
storage (of mystery matters or laptop facts) could be prevented and detected before the
foremost lack of records. It’s clearly come to be very vital to cozy the info traveling on
the community. ARP spoofing is one of (more than, but not variety of) weaknesses (that
10
might be wont to hurt something or someone) which exist in current networking policies
of conduct, which enable an entire of data man or woman free rule over a community.
Those attacks are (as compared to different matters) simple to rent, as there are a good
quite computerized tools available, whilst any quite defense towards them is that the
lowest feasible cost.
1.3 Research Objectives
The purpose of these is to supply with an efficient approach with the intention to
be ready to prevent and discover ARP cache poisoning. That’s carried out by way of
deploying detection and prevention algorithms to run above SDN Controller to
intimidate any wrong or unauthorized attempt to change the contents of the cache with
invalid institutions. This prevents the undesirable redirection of the facts thorough the
attacker’s machine and treasured data would not be sniffed. The algorithms works based
on evaluation ARP Packet. We delivered algorithms, first one work on the dynamic
surroundings (dynamic entries), and therefore the second paintings on the static map this
algorithm best used on statistics middle.
11
1.4Thesis Outline
12
CHAPTER TWO.THEORETICAL BACKGROUND
13
In the network they are four layers , these layer is responsible to carry the data
from the source to the destination based on these layer , each layer is responsible for
generate new information and pass this information to the next layer.
14
beforehand/circulate forwards to move (from one vicinity to each other) the records. The
determine underneath illustrates the ARP broadcast and response procedure.
While the vacation spot tool lies on a remote network, one past the other Layer three
tool, the way is that the identical besides that the sending device sends an ARP request
for the MAC effect of the default gateway. After the affect is settled and therefore the
default gateway gets the packet, the default gateway declares the destination IP address
over the networks connected thereto. The Layer three tool on the vacation spot tool
community uses ARP to get the MAC address of the destination device and provides the
packet.
We describe the following steps. Then we explain the six stats in which a host
operating system in a network needs to use ARP.
17
to do things.
OpenFlow (related to the beautiful design and creation of buildings, and so forth.) the
OpenFlow community (related to the beautiful layout and construction of homes, and so
forth.) includes 3 fundamental models:
18
Verbal exchange of switches is accomplished with the hosts and with each other the use
of the facts direction software program can provide, conversation of controller with
switches is carried out with the aid of the usage of the control course as shown in
determine Secured connection is maintained between the OpenFlow controller and the
transfer by way of using SSL or TLS (related to secret pc codes) policies of behavior, in
this situation the transfer and the controller are each/collectively (identification is
validated) via replacing certificate signed by means of both facets' personal key. despite
the fact that this is a very effective protection set of laptop instructions, the controller
may be capable of be hurt via denial of provider (DoS) attack, or man inside the center
assault; this manner, true protection Practices should be put into use to stop such assaults
19
Drift and group tables behavior of switches with facts flow coming from
extraordinary (connecting points/ways of interacting with something) (in different
words) bodily and digital. The table consists of/makes up of a hard and fast of policies,
wherein the waft of the communication information is defined. The transfer responds
upon every glide according to the regulations, these regulations are called as float
policies.
An OpenFlow transfer consists of one or extra float tables and a set table for body
lookups and forwarding. A glide rule includes three fields:
1. Rule: Header to match with the frames of the flows. There are many supported
Ethernet headers in OpenFlow is designed to be (capable of be made longer or
more complicated), custom headers can be moreover defined. The switch best
(does/completes) a piece mask suit. Because of this, OpenFlow transfer is open
for superior non-IP traffic.
20
2. Action: Rule is matched with site visitors; and defined that which movement must
be accomplished. These movements are also open for extensions, but a few
primary moves are already given inside the (precise description of precisely what
is required). For instance, forwarding to 1 or greater ports, forward to the
controller, drop the body, and change frame fields. In order to add the custom
designed movements the simplest wanted element is that the statistics route need
to have flexibility while supplying excessive performance and occasional cost.
3. Statistics: always whilst a drift rule is matched, the switch has to update the frame
counters, which indicates the (satisfactory of being preferred a lot or completed
lots) of a definitely stated/specific glide. Counters are to be had for each desk,
every float, all of the ports and each ready line. Moreover a timer of final activity
and a preliminary set of the waft are maintained.
An OpenFlow channel is the relationship between the transfer and the controller.
This channel is typically (become secret code) with shipping Layer protection (TLS)
rules of behavior; though, the channel can also be run by the use of simple Transmission
manage rules of conduct (TCP).
21
Network guidelines and services are used as OpenFlow computer applications in
OpenFlow which have interaction with the manage plane via the north-sure API
SDN computer applications that are OpenFlow-based are evolved that use the
extremely vital network (fundamental equipment wished for a business or society to
perform) and send out and use distinct capabilities at run-time. Therefore, control of the
network visitors is moved (from one area to another) from the (primary system wished
for a business or society to perform) to the manager. Community operators will gain
high levels of community control, automation and optimization with the assist of SDN
laptop applications.
3. Threats: some unauthorized people outdoor the organization who do now not have get
entry to the company's pc system or community may want to purpose external chance.
They typically damage into a organization’s community thru the net or server. Each
skilled and inexperienced computer criminals may want to present/cause external
threats.
4. Internal Threats: This kind of threat could be by an unhappy and angry employee who
has approved access to the company's network. Like external threats, the damage that
could be caused by such a computer criminal depends on the (ability to do things very
well).
23
facts hyperlink layer (despite the fact that there is the lifestyles of) changes in network
operational practice that consist of traits like nation-huge layer networks and national
and (associated with a huge region) optical networks. Now known threats at lower levels
of the OSI stack consist of ARP spoofing, MITM (man-in-the-center) assaults at layer ,
and physical layer assaults which include (allowing something to occur without reacting
or looking to stop it) optical faucets or the interception of wireless community indicators
by using attackers. While these of the pc criminal.
25
CHAPTER THREE.PROPOSED WORK
3.1 Overview
We will introduce the proposed detection and prevention system supported SDN
Features and characters against ARP Poisoning Attack.
This section describes the proposed algorithm and the way it works to detect and
preventing ARP Poisoning attacks. During this section, it'll be introducing two
algorithms:
The primary algorithm work supported the dynamic environment when DHCP
Server used to assign IP to the Network.
Second algorithm work supported the static environment like data center
equipment.
A- Detection Phase: this phase work to detect the ARP Poisoning attack based on the
proposed algorithm.
B- Prevention system: this phase work to prevent the attack based on administrator
rule.
The attacker first sends a legitimate gratuitous ARP reply to a host, The controller
implements a flow to allow this message to traverse the network to the target host.
The attacker now creates a new gratuitous ARP reply. This message maintains
details needed to traverse the flow which now exists in the network, but also contains a
modified ARP header. The source IP and hardware source address are changed in order
to poison the recipient’s ARP cache. The attacker sends this message to the target.
27
The crafted ARP reply piggybacks on the existing flow, which conceals the traffic
from the controller. The message then reaches the host and poisons its ARP cache
with the details in the modified ARP header.
In the world of networks security, there are two methods of the Protection:
Prevention method and detection method
Prevention method attempts to prevent the appearance of the attack, while the
detection method triggers a sort of alarm when an attack is detected.
3.3Proposed Algorithm
For best security mechanism, both prevention and detection method should be
implemented to protect our network, this method implemented on SDN RYU Controller
with the open virtual switch (OVS) to connect hosts, describes the Detection System and
Prevention System according to the fowling steps:-
28
Fig 3.2: Detection and prevention System Process.
The controller extracts the IP and MAC addresses from the DHCP header and
uses them to add an entry into the known host's list (DHCP Leased Table). This known
hosts list will keep track of all the IP addresses leased by the DHCP server, the
controller starts monitoring on each of the ports on the switches connected to it. It
also installs flow entries on the edge switches to forward ARP and DHCP lease packets
to it for analysis. When the controller receives a packet from the edge switch, it will
process according to the protocol present in the packet. ARP and DHCP packets are
handled according to the proposed logic to detect any attack.
29
3.3.2 Detection System
Network security in SDN is perfect due to use the SDN’s features and characters
or by using programmable phase to solve security problems of SDN itself. SDN offers
us the potential to collect the required information from the network and gives a way to
analyze and discover the malicious hosts [17]. After the analysis, the network can also
be reprogrammed for implementing any protection policy.
In Detection Systems the RYU Controller will use an algorithm to detect the ARP
poisoning attack, these algorithms select the (Payload OPCODE) in the ARP packet, and
this field used to define the received packet.
When the controller receives the ARP packet, will extract the opcode to know this
is request packet or replay packet if “opcode =1” this means ARP_REQUEST packet so
the proposed algorithm will act with this packet as ARP_REQUEST, then “opcode = 2”
this is replay packet.
30
MAC address in the Ethernet frame called HW address, so, the proposed
algorithm will be matching the receive (SRC_MAC) with the HW address, then next
step will match the information < ARP_SRC_ MAC, ARP_DST_MAC,
ARP_DST_IP, ARP_SRC_IP > in the ARP Packet to the DHCP Leased Table <MAC,
IP>, and Ethernet Header, Because each host received IP from DHCP will be saved in
the DHCP Leased table with some of the information such as MAC address, leased
time, etc. Fig 3.2 show Detection System scenario Work.
So any mismatch occurs in this logic this indicates packets are changing by the
attacker else it is valid ARP Packet.
This operation and logic match was applied by the SDN controller. Each packet
passes to the controller to extract the Ethernet header to extract the ARP packet. The
controller starts monitoring on each of the ports on the switches connected to it.
When RYU controller receives a packet from the Open Virtual Switch software
(OVS), it will process based on the protocol in the header.
31
ARP is handled according to the proposed logic to detect any attack. Figure 3.5
below shows the ARP Packet encapsulate inside an Ethernet frame.
In the proposed work will be programming the controller to act with an invalid
packet with these rules:
This rules completion when the detection phase is detected invalid packet, Figure
3.6 shows the Prevention System Steps.
32
Fig 3.6: Prevention Phase Process
Next, will be to explain the detection and prevention method based on the
flowchart to describe how the SDN Controller handles the ARP Poisoning attack.
Figure 3.4 the ARP_REQUEST Proposed Application. Figure 3.5 shows the ARP
REPLY.
A- Proposed Flowchart When the SDN Controller received the ARP REQUEST
Packet according to the following steps:-
1. RYU SDN controller received the ARP Packet.
2. SDN Controller will be Check the “opcode” to sort the ARP packet (REQUEST
OR REPLAY).
3. “IF OPCODE =1” so this packet is ARP REQUEST, so the controller will handle
this packet as ARP REQUEST.
4. If Destination IP in ARP Packet is the same IP in the “DHCP Leader table”
based on a pair of <MAC, IP>. If the Destination IP is not like the IP in DHCP
leaser Table, so the controller will be handling the ARP REQUEST to the
Prevention Phase.
5. If Step 4 condition return success, they will be making another condition “IF
Source MAC address in Ethernet Header is like to the Source MAC address in the
ARP Header”. If Source MAC in Ethernet isn’t like to the Source MAC in the
ARP Header.
6. If Step 5 return success, they will make another condition “IF Source IP in ARP
Header Pair with Source MAC Address in ARP Header and match this pair to the
33
DHCP Leader table {(SRC_IP, SRC_MAC) in ARP Header} match {(SRC_IP,
SRC_MAC) in DHCP Leased Table}. if Not like, so the controller will be
handling the ARP REQUEST to the Prevention Phase.
7. If step 4, 5, 6 return success, then the controller will be updating the ARP Cache
Table.
8. End
34
Next will be showing these steps according to the Flowchart in Figure 3.7 when the
SDN Controller handles the packet as an ARP REQUEST.
Fig 3.7: how SDN Controller Handles the ARP REQUEST Based on Detection
35
And Prevention System.
B - Proposed Flowchart When the SDN Controller received the ARP REQUEST
Packet according to the following steps:-
36
Fig 3.8: How SDN Controller Handles the ARP REPLY Based on Detection and
Prevention System
37
CHAPTER FOUR.THE IMPLEMENTATION AND RESULT
4.1 Overview
This section shows how to implement the proposed algorithm within the SDN
Lab, also it'll show the SDN Simulator and the way we will establish the Open Flow
connection between the controller and switch, in otherwise it the will be processing our
Proposed work with the Wireshark program to check the present traffic status and the
way the Open Flow connection when the attacker implement the Poisoning Attack.
It is a logical conclusion that the training and study must take a crucial portion of
the effort invested within the implementation. So as to take a position these efforts and
time within the most effective way, it's usual that software developers provide tutorial
systems encapsulated in customized Virtual Machines (VM). The possibility of running
simulated machines inside real physical ones isn't new, but it still quite useful. By
creating a VM image with the OS and software that's required for a specific task, like
training into SDN, we will simplify the access to knowledge and increase the efficiency
of some processes that need to be replicated in several different machines.
In the context of this work, the VM features a relevant role within the training
part, as they're the most tools to find out provided by the developers about both Mininet
and RYU Controller. The chosen tool to run them within the project has been VMWare.
VMware may be a widely extended platform available for all main OS and used to run
VMs via GUI or via command line. Nevertheless, performing on a VM inside a foreign
machine via SSH has proven to not be the foremost reliable nor comfortable way.
38
4.3 Mininet (SDN Simulator)
Mininet:
It works as an emulation of a network build with Linux based hosts and switches
that support OpenFlow in which it is possible to create networks with custom complex
topologies allowing to experiment in an inexpensive, fast and scalable way. As seen in
the State of the Art, SDN architecture is built over a physical network used as the
infrastructure.
For doing so we define a topology that matches the necessities of the project
without adding excessive complexity. Those topologies can be defined using different
methods, for our set up we have chosen to define it by using the Mininet libraries for
Python.
Getting started with Mininet (in Ubuntu) is as simple as installing via command
line from the repository and execute “$sudo mn” in a terminal, Figure 4.1 shows how
the mininet run in the Linux environment. You can add commands with instructions
such as the number of switches, hosts, and the kind of topology, etc. but at the end, it
comes easier to code it into a Python script.
40
4.4 RYU Open Flow Controller
The key element of every SDN architecture is the controller it defines the rules on
which the network is based, the main and back up routes of the packages, and enforces it
by pushing flow tables into the networking elements.
The controller also collects live information about the status, traffic, and
performance of the network in order to make it always as efficient as possible and to
change the paths in case of link saturation or drop. For the work set up, we have chosen
the RYU controller. Figure 4.2 shows the RYU SDN Framework.
41
Fig 4.2: RYU SDN Controller Framework.
In this work, Wireshark has been used to understand the underlying behavior of
the different elements and the interactions between them.
For this tests, we will be capturing the packets with Wireshark and then filtering
the OpenFlow packets in these scenarios. The scenario is with the Mininet topology
running with the controller we will connect the topology to a remote RYU controller,
42
In the successive section, we will provide the results of the commands listed
above as well as the Wireshark captures in order to show and understand the behavior of
the different studied scenarios.
We will be used the topology in Figure 4.3 as a test scenario for the proposed
algorithm in the SDN Topology.
43
Fig 4.3: Proposed Topology Scenario
Topology content three hosts (host 1, host 2 and host 3) with IP address (10.1.1.1,
10.1.1.2, 10.1.1.3), host 1 will act as an attacker node, this node will listen to the other
node, host 2 and host 3 this node is the victim node.
Next, will be create the scenario topology (one switch and three host) based on Mininet
Simulation, will be used this command “it@ubuntu:~$ sudo mn
--controller=remote,ip=127.0.0.1 --mac -i 10.0.0.0/24
--switch=ovsk,protocols=OpenFlow13 --topo=single,3”
This command is used to build the topology with the flowing requirement:-
44
5. Topology Diagram is single topology
6. Topology diagram shown in Figure 4.4.
In this scenario, the host in the topology cannot communicate with each other
because of no OpenFlow table, in otherwise, no SDN controller implemented in this
scenario. No OpenFlow packets captured, no visibility between hosts and no flow table
on the switch. This makes sense as no one is pushing OpenFlow commands into the
switch. Figure 4.5 Show the Test Scenario Result without SDN, it will be used ICMP
Protocol to test host connectivity.
Fig 4.5: Scenario Test without SDN Controller with No Response from the Hosts.
45
4.6.2
4.6.2
4.6.2
4.6.2
4.6.2
4.6.2
S
econd scenario: Simple Topology with RYU Controller.
In this second scenario, we find that the remote controller works as expected and
push a flow table into the switch and, in doing so, allowing the hosts to see each other,
in otherwise in this scenario the SDN controller building the OpenFlow table and set up
the secure connection between the hosts to see each one. Figure 4.6 Show the host
connectivity after implemented RYU Controller to the scenario. Using ICMP Protocol to
test the Host Connectivity. ICMP Protocol Result (No Packet Dropping).
Also will see the open flow table in Figure 4.7 show the Flow Table because the
SDN Controller will be set up the rules and policy of each host in the topology such as
income port, duration, cookies, tables number, etc.
Flow-Table: The basic building block of the logical switch architecture is the
flow table. Each packet that enters a switch passes through one or more flow tables.
Each flow table contains entries consisting of six components:
Match Fields: Used to select packets that match the values in the fields.
46
per-flow table, and per flow-table entry; the number of dropped packets; and duration
of a flow.
In this section will show the attacker without proposal solution, will be used the
Ettercap tool to generate the attack under the mininet topology and Linux operating
system.
47
Ettercap tool: Ettercap is a comprehensive suite for man in the middle attacks. It
features sniffing of live connections, content filtering on the fly and many other
interesting tricks. It supports active and passive dissection of many protocols and
includes many features for network and host analysis.
The Previous command is used to build the topology with the flowing requirement:-
48
Fig 4.8: Single Topology Node (H1, H2, H3, C0, and S1).
Enter to the Host Mode This step helps us to show the host parameter such as the IP
address and MAC address for each node, will be used the flowing command “xterm h1
h2 h3” to enter the host mode this command run inside mininet CLI. The result of the
xterm command shown in Figure 4.9.
To check the connectivity between the host will be used the Internet Control
Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is
used by network devices, including routers, to send error messages and operational
information indicating, for example, that a requested service is not available or that a
host or router could not be reached. Figure 4.10 Show the Result of ICMP protocol
“pingall” command.
49
Fig 4.10: Result of the Host’s Connectivity.
The following the ARP Cache Table Before ARP posing attack Implantation. This
Table content the (IP Address, MAC Address, Physical Interface) For Each node in our
Topology.
To show the ARP Cache table to each host must be run firstly “xterm” command
to show the host mode of each host “Figure 4.9 show the xterm command”. After that
must be run the “arp-a” in each host to show the ARP cache table. Figure 4.11 Show
the ARP Cache Table Result for Each Host.
Fig 4.11: The ARP Cache Table of (H1, H23, and H3).
50
Note: Each host need to communicate with another host must ask the ARP Table
about the MAC Address of the Next Hop node, for example H1 need to communicate
with H2, H1 must ask the ARP Cache table to get the mac address of the H2, If the
MAC Address of the H2 isn’t Found in the ARP Table Of H1, H1 must be sent
ARP_Request To get the MAC Address of H2.
In this section it will be shown how to create the ARP Attack by using Ettercap
Tool, in our Topology H1 is The Attacker Node, H2 and H3 is the victim's node.H1 will
be to run the Ettercap to change the ARP Table of the H2, H3 By using this command
“Ettercap –T –W test. pcap –M ARP /10.1.1.2// /10.1.1.3//”, Figure 4.12 Show the
Ettercap command.
After run previous command in host mode of the H1, the result is:
52
Fig 4.14: ARP Table after Poisoning Attack Implementation
In this Section will be run the Proposal Solution to prevent the ARP Cache
Posing. The proposed algorithm was written by using Python Programming Language
and run above RYU SDN Controller, will be divided the completion of the proposed
algorithm to multi-steps:
53
T h i s c o d e i s
to establishment open flow protocol, Figure 4.15 Show how OpenFlow Protocol run
inside mininet Simulation.
Next will be analysis the packet traffic after established OpenFlow connection.
The traffic details are:
When the open flow connection is established there is multiple messages between
the controller and data plane. Figure 4.17 shows the messages Exchanges between the
controller and Switches.
54
Fig 4.17: OpenFlow Messages.
Next will show the messages exchanges by using Wireshark Program to analysis
the current traffic between the hosts, Figure 4.18 Show the current connection between
the hosts and the messages between the controller and switches.
Fig 4.18: OpenFlow Message between the Controller and Open Virtual Switch on the
Proposed Topology
Now will test the connectivity between the hosts under the ping command based on
OpenFlow connection.
55
To check the connectivity between the host will be used the Internet
Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol
suite. It is used by network devices, including routers, to send error messages and
operational information indicating, for example, that a requested service is not
available or that a host or router could not be reached, Figure 4.19 shows the
result of the ICMP protocol.
Fig 4.19: Connectivity Test between the Hosts under OpenFlow Connection
In this section it will show how the algorithm detects the attacker and drop the
traffic of the attacker path, before the running of the algorithm will show the attacker
connection log before the implementation of the algorithm, and analysis the log details,
Figure 4.20 shows the attacker log details before implementing the algorithm.
Fig 4.20: log Connection when Implementation the Attacker without Proposal
Algorithm.
56
The Log details are:
Now will show the attacker connection log and how the algorithm detects the
attacker, Figure 4.21 shows the log details under the proposed algorithm
57
Fig 4.21: Show how the Algorithm Detects the Attacker and Delete the Flow Entry.
4.8Scenario Result
Two different attack scenarios are created to verify the attack mitigation.
Detection and Prevention Method of ARP Poisoning based on a proposed algorithm.
To execute the Scenario tests, apply an ARP spoofing attack by using the software
on (Host 1) called Ettercap. To generate spoofed ARP request and reply traffic. ARP
request attack, ARP reply attack, is the attack scenarios tested in this section, now will
study two cases: -
ARP request attack: - The first form of ARP spoofing attack is the ARP request
attack. This is exploited by sending a storm of spoofed AR requests to go into the
network to poison the victim’s ARP cache. The victim host will not be able to
communicate with others in the network until its cache gets refreshed. When we run the
proposed mitigation solution on the controller, it will detect the requested attack at the
switch on which the attacker is connected and installs a flow entry to drop packets
coming from the attacker’s port. This way, attacker’s packers are filtered at the switch
nearest to him, thereby protecting the entire network.
ARP reply attack: - ARP reply attack is another type of spoofing attack similar
to the requested attack. Here, the cache of the victim is poisoned by the unsolicited ARP
replies sent by an attacker with a spoofed identity.
58
CHAPTER FIVE.CONCLUSIONS AND FUTURE WORK
5.1 Conclusions
In this thesis, the SDN concept is considered especially from the perspective of
network security and security improvements are explored. There is a lot of research done
on this topic and also a lot of the concepts, frameworks or solutions are proposed for
enhanced security but still more research needs to be done. Also, the network vendors
should invest more into the SDN development, so there will be more comprehensive
solutions available in the market.
Table 5 Shows Different Usual ARP Spoofing Solutions Compared with the
Proposed Solution.
Also, will be used the SDN to Protect the cloud and Data Center, because the
cloud and data center with one centralization control become more secure.
61
4. Create a Robust Policy Framework: what’s needed is a system of checks and
balances to make sure the SDN Controllers are doing what you actually want them
to do.
5. Conduct Forensics and Remediation: when an incident happens, you must be able
to determine what it was, recover, potentially report on it, and then protect against
it in the future.
REFERENCES
63
12. C. pp. 22–29 Abad CL, Bonilla RI. An analysis on the schemes for
detecting and preventing ARP cache poisoning attacks. Proceeding of the 27th
International Conference on Distributed Computing Systems Workshops (ICDCSW
’07); June 2007; Toronto, “No Title.”
13. di Lallo, Roberto, et al. "How to handle ARP in a software-defined
network." NetSoft Conference and Workshops (NetSoft), 2016 IEEE. IEEE, 2016.
14. W. Lootah, W. Enck, and P. McDaniel, Tarp: Ticket based address
resolution protocol vol. 51, no. 15. Elsevier, 2007, pp. 4322 - 4337. .
15. “Abad CL, Bonilla RI. An analysis on the schemes for detecting and
preventing ARP cache poisoning attacks. Proceeding of the 27th International
Conference on Distributed Computing Systems Workshops (ICDCSW ’07); June
2007; Toronto, Canada. pp. 22–29.”
16. Schneider, Fabian, Roberto Bifulco, and Anton Matsiuk. "Better ARP
handling with InSPired SDN switches." Local and Metropolitan Area Networks
(LANMAN), 2016 IEEE International Symposium on. IEEE, 2016.”
17. “Ma, Huan, et al. "SDN-Based ARP Attack Detection for Cloud Centers."
Ubiquitous Intelligence and Computing and 2015 IEEE 12th Intl Conf on
Autonomic and Trusted Computing and 2015 IEEE 15th Intl Conf on Scalable
Computing and Communications and Its Associated Workshops (UIC-ATC-
ScalCom), 2015 IEEE 12th Intl Conf on. IEEE, 2015.”
18. “W. R. Stevens, TCP/IP Illustrated, Vol. 1: The Protocols, AddisonWesley
Professional Computing Series, 1994.”
19. “An In Introduction to TCPIIP for Embedded Engineers, Thomas F,
Embedded System Conference, San Francisco, 2002, 350-370.,” .
20. “Adam Dunkels. Full TCP/IP for 8-bit architectures, Proceedings of the 1
st international conference on Mobile systems[C], California: ACM, 2003, 85-98.”
21. “Li Dongxia, Su Guangchuan. Programming Technology of ARP in Linux
System[J],Computer Applications,2001,pp:123-125.”
64
22. “Cox. B, How does ARP work, 2005.”
23. “ChristophP. Mayer, ‘Advanced ARP Detection: XArp’, Retrievedfrom:
http://www.securityfocus.com/tools/6908.”
24. “Hou X, Jiang Z, Tian X 2010 The detection and prevention for ARP
Spoofing based on Snort In Proceedings of Computer Application and System
Modeling, IEEE Int. Conf. V5-137-V5-139.”
25. “Nick Feamster, Jennifer Rexford, and Ellen Zegura, ‘The Road to SDN,’
Queue, vol. 11, no. 12, pp. 20/21, Dec. 2013.”
26. “JIANG Guolong, FU Binzhang, CHEN Mingyu, et al, Survery and
quantitative analysis of SDN controller, Journal of Frontiers of Computer Science
and Technology, 8(0):1-000, 2014.”
27. “Open Networking Fundation, Software-Defined Networking: The New
Norm for Networks, ONF White Paper, Apr. 2012.”
28. “M. Monaco, O. Michel and E. Keller, ’ ‘Applying Operating System
Principles to SDN Controller Design,’ Proceedings of the Twelfth ACM Workshop
on Hot Topics in Networks, ACM, 2013, pp. 2.”
29. “R. Khondoker, A. Zaalouk, R. Marx and K. Bayarou, ’ ‘Featurebased
comparison and selection of Software Defined Networking (SDN) controllers,’
Computer Applications and Information Systems (WCCAIS), 2014 World Congress
on, pp. 1-7.”
30. “A. Shalimov, D. Zuikov, D. Zimarina, V. Pashkov and R. Smeliansky, ’
‘Advanced study of SDN/OpenFlow controllers,’ Proceedings of the 9th Central &
Eastern European Software Engineering Conference in Russia, ACM, 2013, pp. 1.”
31. “Y. Jarraya, T. Madi, and M. Debbabi, ‘A survey and a layered taxonomy
of software-defined networking,’ IEEE Communications Surveys Tutorials, vol. 16,
no. 4.”
65
32. “Fei Hu, Qi Hao and Ke Bao, ’ ‘A Survey on Software-Defined Network
and OpenFlow: From Concept to Implementation,’ Communications Surveys &
Tutorials, IEEE, vol. 16, no. 4, pp. 2181-2206, Jan. 2014.”
33. “M.P. Fernandez, ’ ‘Comparing OpenFlow Controller Paradigms
Scalability: Reactive and Proactive,’ Advanced Information Networking and
Applications (AINA), 2013 IEEE 27th International Conference on, pp. 1009-1016.”
34. “D. G. Morrillo, «Implementacion de un prototipo de una Red Definida por
Software (SDN) empleando una solucion basada en software software,» 2014.”
35. “R. Kloeti, ‘OpenFlow: A Security Analysis,’ April 2013. [Online].
Available: ftp://yosemite.ee.ethz.ch/pub/students/ 2012-HS/MA-2012-20
signed.pdf.”
36. D. Bruschi, A. Ornaghi, and E. Rosti, “S-ARP: A secure address resolution
protocol,” Proc. - Annu. Comput. Secur. Appl. Conf. ACSAC, vol. 2003–Janua, pp.
66–74, 2003.
37. “S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, ‘Threat modeling-
uncover security design flaws using the stride approach,’ MSDN Magazine-
Louisville, pp. 68–75, 2006.”
38. “D. Li, X. Hong, and J. Bowman, ‘Evaluation of Security Vulnerabilities
by Using ProtoGENI as a Launchpad,’ in Global Telecommunications Conference
(GLOBECOM 2011). IEEE, 2011, pp. 1–6.”
39. W. Lootah, W. Enck, and P. McDaniel, “TARP: Ticket-based address
resolution protocol,” Comput. Networks, 2007.
40. I. Conference, “A Survey on Comparative Analysis of Tools for the
detection of ARP Poisoning,” 2017.
41. “Jaideep Singh, Goldendeep Kaur, Dr. Jyoteesh Malhotra, ‘A
Comprehensive Survey of Current Trends and Challenges to mitigate ARP attacks’,
In proceedings of 1st International Conference on Electrical, Electronics, Signals
and Optimization, ISBN: 978-1-4799.”
66
42. “N Baharudin , F Ali, M Darus, and N Awang, ‘Wireless Intruder
Detection System (WIDS) in Detecting De-Authentication and Disassociation
Attacks in IEEE 802.11’, Faculty of Computer and Mathematical Sciences,
Universiti Teknologi MARA, 2015.”
43. “Sudhakar(&) and R.K. Aggarwal A Security Approach and Prevention
Technique against ARP Poisoning Springer International Publishing ICTIS 2017.”
44. “Fyffe, George. Addressing the Insider Threat. Network Security.
Mar.2008: Science Direct. Web. 25 June. 2011.”
45. “S. Kumar and S. Tapaswi, ‘A centralized and prevention technique
against ARP poisoning,’ IEEE International Conference of Cyber Security Warfare
and Digital Forensic, pp. 259-26, 2012.”
46. “Cisco Systems. Configuring Dynamic ARP Inspection,chapter 39, pages
39:1–39:22. 2012. Catalyst 6500 Series Switch Cisco IOS Sofware Configuration
Guide, Release 12.2SX.”
67