[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-devel] SYN flood attack - lwip crash
|
From: |
pweb . ing |
|
Subject: |
Re: [lwip-devel] SYN flood attack - lwip crash |
|
Date: |
Mon, 2 Feb 2009 21:00:23 +0100 |
2009/2/2, address@hidden <address@hidden>:
> Thanks for finding this, I've filed a bug in the savannah bug tracker.
i saw the email.. i have to read it...
> Does this mean there are not problems when TCP_LISTEN_BACKLOG is turned off?
i will try tomorrow.... but in this case i cannot have pending request
to connect?
>
> Oh, and you wouldn't have to restart the board, only close and reopen
> the listen pcb, but I know that's not an option :-)
no i can't... because i cannot catch this situation... i'm using
socket... no information about internal structure...
>
> Just out of curiostiy: The tests you did isn't a real SYN flooding DoS
> attack, is it? I think it's only a stress-test, since the connection is
> closed in a correct way, not left half-open.
i personally saw and debug this issue using nmap tool... but before,
people who te
tested my board, reported me the bug... they used a tool which do real
SYN attack, build by themself... but i cannot have this tool
Piero
>
> Simon
>
>
> Piero 74 wrote:
>> Some news debugging the code....
>>
>> 1. i use nmap to scan open port in my lwip board
>> 2. using wireshark i saw that nmap sends:
>> - a SYN packet -----> after this packet lwip code increment in
>> listener pcb the field accepts_pending, add a pcb for new connection
>> and send an ACK
>> - a RST packet ------> after this, lwip code remove allocated pcb, but
>> DOESN'T decrement in listener pcb the field accepts_pending
>>
>> another issue....
>> i checked the code... pcb in SYN_RCVD for more of 20 seconds (default)
>> will be removed, but, again, lwip DOESN'T decrement in listener pcb
>> the field accepts_pending
>>
>> the only place where accepts_pending is decremented is in do_recv...
>> when connection is estabilshed...
>>
>> the issue is related to SYN attack...
>> if you have a backlog in listener = N
>> you can receive N SYN attack... after you need to restart the board...
>>
>> I can imagine now a patch....
>>
>> Bye
>> Piero
>>
>>
>>
>> 2009/1/30 Kieran Mansley <address@hidden <mailto:address@hidden>>
>>
>> On Fri, 2009-01-30 at 16:36 +0100, Piero 74 wrote:
>>
>> > ...now the problem is "only" how patch this bug...
>> > (do you agree with me? is it a bug? i'm wrong in same way???)
>>
>> I wonder if your mail box is overflowing, which might explain why
>> tcp_accepted never gets called. Worth checking out. I seem to recall
>> that there's a minimum size for the mailbox to ensure everything works
>> fine, but can't remember the details.
>>
>> However, I'm not convinced you've found your bug: you had a problem
>> without the listen backlog code, so a bug in that code isn't going to
>> explain what went wrong without it.
>>
>> Did you find out what's on the other pcb lists, and what the stats are
>> for the number of pcbs allocated?
>>
>> Kieran
>>
>>
>>
>> _______________________________________________
>> lwip-devel mailing list
>> address@hidden <mailto:address@hidden>
>> http://lists.nongnu.org/mailman/listinfo/lwip-devel
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> lwip-devel mailing list
>> address@hidden
>> http://lists.nongnu.org/mailman/listinfo/lwip-devel
>>
>
>
>
> _______________________________________________
> lwip-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/lwip-devel
>