Re: [lwip-devel] SYN flood attack - lwip crash

[Piero 74]

Kieran....

another log for us...

I did another flood test...

after test (as you can see in log):

- lwip board answers to ping request.. so, emac driver works.

- if i try to connect to tcp listener, lwip doesn't answer to SYN packet

i waited 45 minutes... nothing changes...

I have a debugger connected to board....

Kieran... tell me NOW (if you are online) what i have to check...

I will be here until 18.00

Piero

2009/1/30 Kieran Mansley <address@hidden>

On Fri, 2009-01-30 at 11:56 +0100, Piero 74 wrote:
> Hi Kieran.
>
> At the end of scan... no answers from lwip...
> i did a cut of wireshark, from the final tests of scan, to the end.
>
> After the scan, i tried more times to connect to board...

OK, that's helpful.  It looks like lwIP is alive in that it's sending
RST frames in response to packets that don't match an existing
connection, but it's not sending any response to a SYN, and it's not
retransmitting anything.  I would try and debug what's happening in the
tcp_slowtmr() function and see if there are any half-open connections
(i.e. in SYN_SENT or SYN_RECV states) and what the stack is doing about
them.  It should be (i) retransmitting and (ii) timing them out
eventually.

Your packet capture only shows 80 seconds, which I think won't be long
enough to time any half-open connections out, but I think tcp_slowtmr()
is the right place to look for more detail.

Thanks

Kieran



_______________________________________________
lwip-devel mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/lwip-devel

log3.zip
Description: Zip archive