Hi I have similar problem with my ip board. My product is for intrusion market, so, our marketing, asked me if i can protect the board from crash caused by DOS attack. Yesterday, during tests on my board, a guy tried a SYN flood attack, and after, my board needed a reset (i suppose lwip stack crashed... but i have to investigate)
In my opinion, a solution to reduce risk from DOS attacks, is PACKET FILTERING: my idea is to give the user the possibility to define some rules for incoming packets, that will be applied in the emac driver context: - a list of TRUSTED IP, only packets from this ip will be forward to lwip stack - rules for packet filtering based on protocol (IGMP/UDP/TCP), ports, and IP Raunak, Mike and other developers... we can discuss about this here. Bye Piero. 2009/1/28 Mike Kleshov <[email protected]> > That's an interesting subject. There are many different classes of > network attacks. Some of them are protocol-specific (recent DNS > vulnerability, TCP syn flood, ARP spoofing etc.), some target > vulnerabilities in particular implementations (e.g. resource > exhaustion), some are generic (flooding link with traffic.) You cannot > counter all of them. The best you can do is evaluate the risks and try > to bring them down to an acceptable level. That 'acceptable level' is > highly dependent on your application requirements. > I don't think that anyone performed a thorough evaluation of lwip in > terms of vulnerability to network attacks. There will definitely be > bugs. For example, a few months ago a bug has been found where a > malformed TCP header could cause a crash: > https://savannah.nongnu.org/bugs/index.php?24596 > So, if possible, try to choose simple protocols, e.g. favour UDP over TCP. > > Regards, > - mike > > 2009/1/28 Raunak Rungta <[email protected]>: > > Hi All, > > I am doing a project to analyze the security requirements in connecting > the > > set of wireless sensors with the Internet. I am totally new to this area. > I > > read about different TCP/IP stack implementations like lwIP, uIP and > others. > > Can any one point me some links where I can find how others implementors > > have approached this problem? How they have tried to secure their > Wireless > > Sensor Networks from the different possible attacks from Internet? Any > links > > to such implementations will also be helpful. > > Thanks in advance, > > Raunak Rungta > > > _______________________________________________ > lwip-users mailing list > [email protected] > http://lists.nongnu.org/mailman/listinfo/lwip-users >
_______________________________________________ lwip-users mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/lwip-users
