Re: [lwip-devel] SYN flood attack - lwip crash

[Kieran Mansley]

On Fri, 2009-01-30 at 11:56 +0100, Piero 74 wrote:
> Hi Kieran.
> 
> At the end of scan... no answers from lwip... 
> i did a cut of wireshark, from the final tests of scan, to the end.
> 
> After the scan, i tried more times to connect to board...

OK, that's helpful.  It looks like lwIP is alive in that it's sending
RST frames in response to packets that don't match an existing
connection, but it's not sending any response to a SYN, and it's not
retransmitting anything.  I would try and debug what's happening in the
tcp_slowtmr() function and see if there are any half-open connections
(i.e. in SYN_SENT or SYN_RECV states) and what the stack is doing about
them.  It should be (i) retransmitting and (ii) timing them out
eventually.

Your packet capture only shows 80 seconds, which I think won't be long
enough to time any half-open connections out, but I think tcp_slowtmr()
is the right place to look for more detail.

Thanks 

Kieran