[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-devel] SYN flood attack - lwip crash
From: |
Piero 74 |
Subject: |
Re: [lwip-devel] SYN flood attack - lwip crash |
Date: |
Mon, 2 Feb 2009 17:36:38 +0100 |
Some news debugging the code....
1. i use nmap to scan open port in my lwip board
2. using wireshark i saw that nmap sends:
- a SYN packet -----> after this packet lwip code increment in listener pcb the field accepts_pending, add a pcb for new connection and send an ACK
- a RST packet ------> after this, lwip code remove allocated pcb, but DOESN'T decrement in listener pcb the field accepts_pending
another issue....
i checked the code... pcb in SYN_RCVD for more of 20 seconds (default) will be removed, but, again, lwip DOESN'T decrement in listener pcb the field accepts_pending
the only place where accepts_pending is decremented is in do_recv... when connection is estabilshed...
the issue is related to SYN attack...
if you have a backlog in listener = N
you can receive N SYN attack... after you need to restart the board...
I can imagine now a patch....
Bye
Piero
2009/1/30 Kieran Mansley
<address@hidden>
On Fri, 2009-01-30 at 16:36 +0100, Piero 74 wrote:
> ...now the problem is "only" how patch this bug...
> (do you agree with me? is it a bug? i'm wrong in same way???)
I wonder if your mail box is overflowing, which might explain why
tcp_accepted never gets called. Worth checking out. I seem to recall
that there's a minimum size for the mailbox to ensure everything works
fine, but can't remember the details.
However, I'm not convinced you've found your bug: you had a problem
without the listen backlog code, so a bug in that code isn't going to
explain what went wrong without it.
Did you find out what's on the other pcb lists, and what the stats are
for the number of pcbs allocated?
- Re: [lwip-devel] SYN flood attack - lwip crash,
Piero 74 <=