|
|
Academic Research Project
University of Luxembourg | CYBERUS Erasmus Mundus Joint Master's Program
Course: Security of Software Defined Networking
Semester: 3rd Semester, Academic Year 2025-2026
This repository contains educational and research material demonstrating Man-in-the-Middle attacks in controlled SDN environments.
- Educational context only — Techniques demonstrated in this project are for learning cybersecurity defense mechanisms
- Controlled environments — All experiments conducted in isolated Mininet simulations, not against production networks
- Do not deploy maliciously — Unauthorized access to computer systems is illegal. See LICENSE for complete terms
- University coursework — Developed as academic project at University of Luxembourg under supervision
This material is provided solely for educational purposes to understand cybersecurity threats and implement better defenses.
 Farhad Anwari Project Lead & ARP Spoofing |
 Dilnoza Yodalieva DNS Hijacking & Testing |
 Azamat Shirinshoev Analysis & Documentation |
Professors:
Institution: University of Luxembourg
Department: SNT - Security & Trust
Program: CYBERUS Erasmus Mundus Joint Master
This project investigates how Software-Defined Networks behave under classic Man-in-the-Middle (MITM) attacks by implementing:
- ARP Spoofing (Layer 2) - Poisoning ARP caches to intercept traffic between hosts
- DNS Hijacking (Layer 3/7) - Redirecting DNS queries to malicious resolvers through SDN control plane manipulation
Key Findings:
- SDN's centralized control does not protect end-hosts from ARP cache poisoning
- Controller flow tables remain unaware of Layer 2 manipulation
- SDN programmability can be abused to redirect traffic at the control plane
- Defense requires intentional design choices (ARP inspection, DNSSEC, access control)
sdn-mitm-attacks-research/
├── README.md # This file
├── LICENSE # Educational use license with disclaimer
├── .gitignore # Git ignore rules
│
├── arp-spoofing/ # Phase 1: ARP Spoofing Attack
│ ├── topo.py # Mininet topology definition
│ ├── scripts/
│ │ ├── arp_spoof_attack.py # Main ARP spoofing attack script
│ │ └── arp_spoof_attack_bkp.py # Backup version
│ ├── captures/
│ │ └── arp_H1H2.pcap # Packet capture of attack
│ └── logs/
│ ├── flows_before.txt # OpenFlow rules before attack
│ ├── flows_during.txt # OpenFlow rules during attack
│ ├── flows_after.txt # OpenFlow rules after attack
│ └── h2_arp_*.txt # ARP cache states (before/during/after)
│
├── dns-hijacking/ # Phase 2: DNS Hijacking Attack
│ ├── scripts/
│ │ ├── new_topo.py # Enhanced network topology
│ │ ├── hijack_switch.py # DNS hijacking via OpenFlow rules
│ │ ├── mini_dns.py # Minimal DNS server implementation
│ │ ├── dnsmasq-h1.conf # DNS configuration for host H1
│ │ └── dnsmasq-h2.conf # DNS configuration for host H2
│ └── captures/
│ ├── dns-full.pcap # Full DNS traffic capture
│ └── dns-new1-full.pcap # DNS attack capture variant
│
├── diagrams/ # Visualization and documentation
│ └── attack-sequence-diagram.png # Attack sequence diagrams
│
└── visuals/ # Logos and images
├── University-of-Luxembourg-logo.png
└── logo-cyberus-master.png
┌─────────────────────────────────────┐
│ Hosts (H1, H2, H3) │
│ (Running in Mininet) │
└──────────────┬──────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ OpenFlow Switches │
│ (Mininet Virtual Switches) │
└──────────────┬──────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ SDN Controller │
│ (ONOS / RYU) │
└─────────────────────────────────────┘
Attacker: Compromised host on network
- Baseline Collection - Capture normal ARP traffic and flow rules
- Attack Launch - Send spoofed ARP replies to victims
- Traffic Interception - Victims route traffic through attacker
- Monitoring - Capture ARP cache states and network flows
- Analysis - Compare before/during/after states
- DNS Request Interception - Redirect DNS queries via OpenFlow rules
- Rogue Resolver - Route queries to attacker-controlled DNS server
- Poisoned Responses - Return attacker-controlled IP addresses
- Seamless Operation - Normal network services continue functioning
Watch the ARP spoofing attack in action, showing traffic interception and ARP cache poisoning:
Video: https://youtu.be/3FTKmm4AXpQ
This demonstration shows:
- Initial network connectivity verification
- ARP spoofing attack execution
- Real-time traffic capture between hosts
- ARP cache state changes during attack
Watch the DNS hijacking attack demonstration, showing traffic redirection and response manipulation:
Video: https://youtu.be/k0Fb7_FVW38
This demonstration shows:
- DNS query interception via OpenFlow rules
- Redirection to rogue DNS server
- Query response manipulation
- Impact on affected hosts
- Linux/macOS environment (Linux recommended)
- Python 3.6+
- Mininet 2.3.0+
- OpenFlow switch (simulated via Mininet)
- SDN Controller: ONOS or RYU
-
Install Mininet:
sudo apt-get install mininet
-
Install RYU Controller:
pip install ryu
-
Install packet analysis tools:
sudo apt-get install tcpdump dnsmasq wireshark
cd arp-spoofing
# Start the network topology
sudo python3 topo.py
# In another terminal, launch the ARP spoofing attack
sudo python3 scripts/arp_spoof_attack.py
# Capture packets in another terminal
sudo tcpdump -i s1-eth1 -w capture.pcapcd dns-hijacking
# Start the enhanced network topology
sudo python3 scripts/new_topo.py
# Deploy rogue DNS server
sudo python3 scripts/mini_dns.py
# Apply OpenFlow rules for DNS hijacking
sudo python3 scripts/hijack_switch.py
# Monitor DNS traffic
sudo tcpdump -i h1-eth0 -w dns_capture.pcapFunctionality:
- Bidirectional ARP poisoning between two hosts
- IP forwarding configuration for traffic relay
- Real-time statistics and packet counting
- Graceful cleanup and ARP cache restoration
Key Components:
- MAC address resolution
- Kernel protection bypass (reverse path filtering)
- ARP cache population
- Packet forwarding between victims
Functionality:
- Modification of OpenFlow rules at the switch
- DNS traffic redirection to attacker-controlled server
- Integration with SDN controller
- Configuration through network programming
Attack Vectors:
- Flow-based redirection at switch level
- Host-based DNS configuration modification
- Rogue DNS server responding to queries
Evidence Collected:
- ARP cache poisoning logs showing MAC address mappings
- OpenFlow flow tables before, during, and after attack
- Packet captures showing traffic flow changes
- Host connectivity and throughput measurements
Findings:
- Successful ARP poisoning verified via ARP cache dumps
- Traffic successfully rerouted through attacker
- SDN controller unaware of Layer 2 manipulation
- Traditional defense mechanisms remain necessary
Evidence Collected:
- DNS query redirection logs
- Response packet captures showing poisoned answers
- Host-level DNS resolution changes
- Network service continuity verification
Findings:
- Complete DNS query redirection achieved
- Seamless operation with legitimate traffic
- Control plane compromise amplifies attacks
- Host-level and network-level defenses both needed
-
Dynamic ARP Inspection (DAI)
- Verify ARP messages against DHCP snooping database
- Rate limiting on ARP traffic
- Invalid ARP message filtering
-
DNSSEC
- Cryptographic validation of DNS responses
- Protection against DNS poisoning
- Root trust anchor verification
-
Access Control
- Strict SDN controller access policies
- Authentication and authorization
- Audit logging of rule modifications
-
Static ARP Entries
- Manually configure critical ARP mappings
- Prevents dynamic ARP cache poisoning
- Suitable for small, stable networks
-
ARP Monitoring Tools
- ArpON - Active ARP spoofing detection
- ARPwatch - ARP traffic monitoring
- Changes alerting mechanisms
-
DNS Security
- DNSSEC validation
- Multiple DNS servers
- Network monitoring for suspicious queries
-
ARP Proxy Architecture
- Centralized ARP handling by controller
- Controller validates ARP messages
- Prevents host-to-host ARP communication
-
MAC-IP Binding Enforcement
- Controller maintains authoritative binding table
- Flow rules validate source MAC-IP pairs
- Invalid packets dropped at switch level
-
Flow Rule Validation
- Security-aware flow installation
- Controller inspects rule contents
- Prevents malicious rule injection
- Layer 2 vulnerabilities persist in SDN environments
- SDN provides control plane visibility but not host protection
- Programmability creates new attack surfaces
- Defense-in-depth approach necessary
- Functional malware or exploit code
- Production attack tools
- Intended for unauthorized network access
- Complete security solution
This research should be used to:
- Understand modern network attack techniques
- Design better network security controls
- Train security professionals
- Improve defensive capabilities
Academic contributions welcome with proper attribution:
- Fork this repository
- Create a feature branch for your analysis
- Document findings comprehensively
- Maintain educational and non-malicious intent
- Submit pull request with clear academic context
All contributions must comply with the LICENSE terms and include:
- University/institution attribution
- Clear academic purpose
- Disclaimer about non-malicious use
- Proper citation of referenced work
This project is released under a custom Educational Research License with Security Disclaimer. See LICENSE for complete terms.
Key Points:
- Educational and research use permitted
- Unauthorized system access strictly prohibited
- Derivative works must include attribution and disclaimers
- Commercial use requires explicit permission
Contact the course instructors or original authors through their GitHub profiles and LinkedIn connections listed above.
- University of Luxembourg: https://www.uni.lu/
- SNT Department: https://www.uni.lu/snt-en/
- CYBERUS Master Program: https://master-cyberus.eu/
University of Luxembourg | CYBERUS Master | Security of Software Defined Networking
Academic Project - 2025-2026
This is educational material demonstrating cybersecurity attack mechanisms for learning and defensive purposes only.
Last Updated: January 2026
Do not deploy maliciously. Do not use against systems you do not own or have explicit permission to test.