lwip-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-users] Security implemented in LWIP

From: Kieran Mansley
Subject: Re: [lwip-users] Security implemented in LWIP
Date: Wed, 28 Jan 2009 11:15:55 +0000 
On Wed, 2009-01-28 at 11:53 +0100, Piero 74 wrote:
> Hi
> 
> I have similar problem with my ip board. My product is for intrusion
> market, so, our marketing, asked me if i can protect the board from
> crash caused by DOS attack. 
> Yesterday, during tests on my board, a guy tried a SYN flood attack,
> and after, my board needed a reset (i suppose lwip stack crashed...
> but i have to investigate)
> 
> In my opinion, a solution to reduce risk from DOS attacks, is PACKET
> FILTERING:
> my idea is to give the user the possibility to define some rules for
> incoming packets, that will be applied in the emac driver context:
> - a list of TRUSTED IP, only packets from this ip will be forward to
> lwip stack
> - rules for packet filtering based on protocol (IGMP/UDP/TCP), ports,
> and IP

In my view a crash is a bug, and by using packet filtering you might
treat the symptom but not the problem.  I would investigate where the
crash happened and fix that first.

However, lwIP is by design very conservative with its resource usage,
and by application likely to be on systems that are constrained in some
way.  Therefore it is always going to be possible, with a suitably well
crafted attack, to overwhelm such a system with traffic and exclude the
packets that should get through.  That said, the system should cope with
being overloaded, and return to functional operation when the extra load
is stopped - if it doesn't (as I said above) it's a bug that should be
fixed.  Packet filtering will just move the load of coping with such
packets to the driver rather than the network stack, and so may help a
little but it won't be a complete solution.

Kieran
reply via email to
[Prev in Thread] Current Thread [Next in Thread]