lwip-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-users] Security implemented in LWIP

From: Piero 74
Subject: Re: [lwip-users] Security implemented in LWIP
Date: Wed, 28 Jan 2009 11:53:10 +0100
Hi

I have similar problem with my ip board. My product is for intrusion market, so, our marketing, asked me if i can protect the board from crash caused by DOS attack.
Yesterday, during tests on my board, a guy tried a SYN flood attack, and after, my board needed a reset (i suppose lwip stack crashed... but i have to investigate)

In my opinion, a solution to reduce risk from DOS attacks, is PACKET FILTERING:
my idea is to give the user the possibility to define some rules for incoming packets, that will be applied in the emac driver context:
- a list of TRUSTED IP, only packets from this ip will be forward to lwip stack
- rules for packet filtering based on protocol (IGMP/UDP/TCP), ports, and IP

Raunak, Mike and other developers... we can discuss about this here.

Bye
Piero.

2009/1/28 Mike Kleshov <address@hidden>
That's an interesting subject. There are many different classes of
network attacks. Some of them are protocol-specific (recent DNS
vulnerability, TCP syn flood, ARP spoofing etc.), some target
vulnerabilities in particular implementations (e.g. resource
exhaustion), some are generic (flooding link with traffic.) You cannot
counter all of them. The best you can do is evaluate the risks and try
to bring them down to an acceptable level. That 'acceptable level' is
highly dependent on your application requirements.
I don't think that anyone performed a thorough evaluation of lwip in
terms of vulnerability to network attacks. There will definitely be
bugs. For example, a few months ago a bug has been found where a
malformed TCP header could cause a crash:
https://savannah.nongnu.org/bugs/index.php?24596
So, if possible, try to choose simple protocols, e.g. favour UDP over TCP.

Regards,
- mike

2009/1/28 Raunak Rungta <address@hidden>:
> Hi All,
> I am doing a project to analyze the security requirements in connecting the
> set of wireless sensors with the Internet. I am totally new to this area. I
> read about different TCP/IP stack implementations like lwIP, uIP and others.
> Can any one point me some links where I can find how others implementors
> have approached this problem? How they have tried to secure their Wireless
> Sensor Networks from the different possible attacks from Internet? Any links
> to such implementations will also be helpful.
> Thanks in advance,
> Raunak Rungta


_______________________________________________
lwip-users mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/lwip-users

reply via email to
[Prev in Thread] Current Thread [Next in Thread]