On Wed, 2009-01-28 at 11:53 +0100, Piero 74 wrote: > Hi > > I have similar problem with my ip board. My product is for intrusion > market, so, our marketing, asked me if i can protect the board from > crash caused by DOS attack. > Yesterday, during tests on my board, a guy tried a SYN flood attack, > and after, my board needed a reset (i suppose lwip stack crashed... > but i have to investigate) > > In my opinion, a solution to reduce risk from DOS attacks, is PACKET > FILTERING: > my idea is to give the user the possibility to define some rules for > incoming packets, that will be applied in the emac driver context: > - a list of TRUSTED IP, only packets from this ip will be forward to > lwip stack > - rules for packet filtering based on protocol (IGMP/UDP/TCP), ports, > and IP
In my view a crash is a bug, and by using packet filtering you might treat the symptom but not the problem. I would investigate where the crash happened and fix that first. However, lwIP is by design very conservative with its resource usage, and by application likely to be on systems that are constrained in some way. Therefore it is always going to be possible, with a suitably well crafted attack, to overwhelm such a system with traffic and exclude the packets that should get through. That said, the system should cope with being overloaded, and return to functional operation when the extra load is stopped - if it doesn't (as I said above) it's a bug that should be fixed. Packet filtering will just move the load of coping with such packets to the driver rather than the network stack, and so may help a little but it won't be a complete solution. Kieran _______________________________________________ lwip-users mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/lwip-users
