NetDefender

SDN-Based Network Defense Platform

A comprehensive network defense and traffic redirection platform that seamlessly integrates the Ryu controller, Open vSwitch, and Snort IDS. NetDefender enables automated threat detection and dynamic traffic redirection to containerized honeypots, providing an observable and controllable experimental defense environment.

Key Features

SDN Controller

Built on the OSKen/Ryu controller framework for flexible, programmable network control and policy management.

Traffic Redirection

Intelligent packet forwarding using Open vSwitch for seamless traffic redirection to honeypot containers.

Intrusion Detection

Real-time threat detection powered by Snort IDS for comprehensive network security monitoring.

Container Orchestration

Dynamic container lifecycle management for honeypot services with automated scaling capabilities.

Extensible Policies

Flexible policy framework allowing customizable defense strategies and traffic handling rules.

Installation Guide

Ryu Server Setup

Execute the following commands to install the Ryu controller:

# Switch to root user
sudo -s

# Install Git
apt install git -y

# Clone the NetDefender repository
git clone https://github.com/sinyuan1022/NetDefender.git

# Navigate to the Ryu directory
cd ./NetDefender/ryu/

# Run the Ryu installation script
bash ./ryu_install.sh

Snort Server Setup

Prerequisites: Complete the Ryu server installation first.

# Switch to root user
sudo -s

# Install Git
apt install git -y

# Clone the NetDefender repository
git clone https://github.com/sinyuan1022/NetDefender.git

# Navigate to the Snort directory
cd ./NetDefender/snort/

# Run the Snort installation script
bash ./snort_install.sh

Single Server Deployment

Note: This deployment mode is currently not enabled by default. Use this option only if you want to combine both Ryu and Snort on a single server.

# Switch to root user
sudo -s

# Install Git
apt install git -y

# Clone the NetDefender repository
git clone https://github.com/sinyuan1022/NetDefender.git

# Navigate to the root directory
cd ./NetDefender/

# Run the combined installation script
bash ./singel.sh

Honeypot Configuration

NetDefender uses a JSON-based configuration file to define honeypot containers with flexible port mapping:

{
  "containers": [
    {
      "image_name": "cowrie/cowrie",
      "name": "ssh",
      "ports": [
        {
          "host_port": 22,
          "container_port": 2222,
          "protocol": "tcp"
        }
      ],
      "command": "",
      "multi": "yes",
      "max": 10,
      "max_containers": 10,
      "send_response": "yes"
    },
    {
      "image_name": "dinotools/dionaea",
      "name": "dionaea",
      "ports": [
        {"host_port": 21, "container_port": 21, "protocol": "tcp"},
        {"host_port": 80, "container_port": 80, "protocol": "tcp"},
        {"host_port": 443, "container_port": 443, "protocol": "tcp"},
        // ... additional ports
      ],
      "multi": "yes",
      "max": 10,
      "max_containers": 10,
      "send_response": "yes"
    }
  ]
}

Supported Honeypots

SSH Honeypot (Cowrie)

Medium-interaction SSH/Telnet honeypot

Emulates an SSH service to capture brute-force attacks, shell interactions, and file downloads. Logs all attacker commands and activities.

Port 22 (TCP)

Multi-Service Honeypot (Dionaea)

Low-interaction multi-protocol honeypot

Comprehensive honeypot emulating multiple vulnerable services simultaneously. Captures malware, exploits, and attack patterns across various protocols.

21 (FTP) 42 (WINS) 69 (TFTP) 80 (HTTP) 135 (RPC) 443 (HTTPS) 445 (SMB) 1433 (MSSQL) 1723 (PPTP) 1883 (MQTT) 1900 (UPnP) 3306 (MySQL) 5060/5061 (SIP) 11211 (Memcached)