Re: [lwip-devel] SYN flood attack - lwip crash

[Piero 74]

ok... i suppose i'm close to the problem...

the only function which decrement accepts_pending in pcb in tcp_listen_pcbs is:

"tcp_accepted"

called in "do_recv"

i suppose that during SYN flood attack this function is not called....

can you confirm my idea???

if yes, how we can patch this issue???

Bye

Piero

2009/1/30 Piero 74 <address@hidden>

kieran... i found something interesting... :OD

first, in my code, i set a backlog = 1:

#define SOCKTCPBACKLOG                    1

....

// create TCP listener

INT32 createTCPListener(UINT16 port)

{

  INT32 sd;

  struct sockaddr_in serv_addr;

  sd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

  if (sd >= 0)

  {

    // valid socket

    serv_addr.sin_family = AF_INET;

    serv_addr.sin_addr.s_addr = INADDR_ANY;

    serv_addr.sin_port = htons(port);

    bind(sd, (struct sockaddr *) &serv_addr, sizeof(serv_addr));

    listen(sd, SOCKTCPBACKLOG);

  }

  return(sd);

}

i have 3 listener created in this way.

After a scan with nmap, and syn flood, i found that 

tcp_listen_pcbs

are listener with field

accepts_pending = 1

so, lwip code reject the connect request.

I didn't understand why this field is not reset!!!

any idea?

Piero

2009/1/30 Kieran Mansley <address@hidden>

On Fri, 2009-01-30 at 15:20 +0100, Piero 74 wrote:

> watching with debugger...
>
>
> tcp_slowtmr() seems not work... i checked some vars:
> tcp_active_pcbs point to NULL (no pcb available)
>

What about the other PCB lists:

tcp_bound_pcbs
tcp_listen_pcbs
tcp_tw_pcbs

Can you confirm what the state of the PCB stats are?  i.e. How many PCBs
are allocated etc?

Kieran



_______________________________________________
lwip-devel mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/lwip-devel