A prototype for a honeynet based on SDN

Abstract

This paper presents a prototype for a honeynet based on SDN. The prototype is structured by a Pyretic controller, an application, a switch with OpenFlow support and a network. The network is composed of two segments; one of them called the production network, and the other, the honeynet. The application helps detecting and deviating attacks to the honeynet. Six different types of attacks are considered, three of them are Denial of Service (DoS) attacks and the other two are spoofing attacks. The DoS selected attacks are SMURF, THC SSL DoS and TCP SYN Flood; and the spoofing attacks are based on DNS, IP and ARP. The application contains a main module that is responsible for calling six additional modules, each designed for detecting a particular attack; the main module also loads a secondary module that injects the analyzed packets back into one of the two segments of the network. The application can be customized using a configuration file that flags whether the application will run a specific module or the six modules simultaneously; this allows protecting the network from either a particular attack or from all the six chosen attacks. A description of the developed modules using Pyretic is included. In addition, results of several tests carried out using the prototype for testing attacks are presented.