2015년 2월 16일 월요일

Firewall SoC with TCP/IP Offload Engine for Internet of Things

There is no doubt that the number of IoTs will increase explosively.

>Gartner, Inc. forecasts that 4.9 billion connected things will be in use in 2015, up 30 percent from 2014, and will reach 25 billion by 2020.

As the IoT device continues to increase, IoT devices will be faced with the network flooding attack, such as DDoS, more frequently. However, because of its capacity of memory and MCU, nearly most IoT devices are very vulnerable to heavy network attacks and traffisc.

Weakness of these IoT device must be a great opportunity to TOE-embedded MCU, W7500. While TOE under Network attack is to reduce the MCU and memory resources of IoT device, because it is possible to protect the System of IoT device.

What is Firewall TCP/IP offload Engine for IoT?

Software TCP/IP stack

First, let’s examine the Software TCP/IP stack.

Software TCP/IP stack implemented on host system requires more capacity of extra memory and extra processing power for network communications. Normally, ARM Cortex-M core copies data from Ethernet MAC buffer to memory, analyze the received packets in memory using the software stack and then executes an appropriate process.

Software TCP/IP Stack

If network flooding attack has occurres, Cortex-M will repeatedly excute process in order to process flooding packets. Therefor, excessive number of TCP requests such as SYN-flooding attacks will overload the IoT device.

Hardware TCP/IP TOE

Hardware TCP/IP TOE

On the other hand, the hardware TCP/IP TOE, which is implemented as Hardwired logic from Ethernet MAC Layer to TCP/IP Layer, is able to protect IoT system against network attack under excessive number of flooding packet by making discard flooding packets detected.

Comparison of Software TCP/IP stack and Hardware TCP/IP TOE under the Network attack such as DDoS.

Hardware TCP/IP SoC

This means that Cortex-M does not have to handle the flooding packet even under Network attack. Further, because the TCP / IP stack processing is performed in TOE, it is possible to save the amount of memory for TCP/IP communications.

These TOE features are not to limited to the Network attack, it is also possible to expect the same performance under heavy network traffic.

We compared the network performance of software TCP/IP stack and Hardware TCP/IP TOE under DoS Attack (Syn-flood attack).

Comparison of Software and Hardware TCP/IP System
Software TCP/IP Hardware TCP/IP
Platform Pic. mbed1768 W7500_EVB
Platform Name mbed1768 W7500 EVB
Max Clock (MHz) 96 48
Flash (KB) 512 128
RAM (KB) 64 32
Use DMA O O
software RTOS + lwIP Non-OS + Fireware
Code size (KB) Flash:64.5 / RAM:35.2 Flash: 9.09 / RAM: 8.99
Compiler Web-compiler (mbed.org) keil
Test tools Iperf.exe, scapy (python)
Network configurations for Network Performancs tests

Network config

How to use iperf

>Iperf is a tool to measure maximum TCP bandwidth, allowing the tuning of various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, datagram loss.

https://iperf.fr/

# ex.) host IP(192.168.77.34):port[5000], display format is Mbit/sec, interval 1 sec.
iperf.exe -c 192.168.77.34 -p 5000 -f m -i 1
  • -c : —client host, -c will connect to the host specified.
  • -p : —port #, the server port for the server to listen.
  • -f : —format [], ‘m’ = Mbit/sec
  • -i : —interval #, Sets the interval time in seconds between periodic bandwidth through performance
Scripts for DoS Attack (Syn-flood attack)

We used the scapy (python library) as DoS Attack.

Scapy is a powerful interactive packet manipulation program. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery.
http://www.secdev.org/projects/scapy/

from scapy.all import
inter = input('inter(time in seconds to wait between 2packets) :')

def synFlood(src, tgt, inter):
    IPlayer = IP(src, dst=tgt)
    TCPlayer= TCP(sport=3000, dport=3000) # as your env. change source and destination port
    pkt = IPlayer / TCPlayer
    send(pkt, loop=1, inter=inter) #

#send(pkts, inter=0, loop=0, verbose=None)
#    Send packets at layer 3, using the conf.L3socket supersocket. pkts can
#    be a packet, an implicit packet or a list of them.
#    loop: send the packets endlessly if not 0.
#    inter: time in seconds to wait between 2 packets
#    verbose: override the level of verbosity. Make the function totally silent when 0.
#   * Refer to http://www.secdev.org/projects/scapy/files/scapydoc.pdf for more detail.

# as your env. change to real IP address and so on.
src = "192.168.77.253" # PC IP address
tgt = "192.168.77.34"  # target board
synFlood(src, tgt, inter)

Network performance

Network_performance

It is possible to prove that the network performance of Hardware TCP/IP TOE is better and more stable than software TCP/IP stack under SYN flood attack. In particular, when interval is 0.001sec., the network performance of TOE is 9 times better than the software TCP/IP stack even though the platform embedded software TCP/IP stack is better than TOE platform.

It is confirmed that the Hardware TCP/IP TOE is able to maintain the network performance even if SYN-flood attack is increased. Otherwise, it is possible to observe that the network performance of software TCP/IP stack became extremely worse according to the interval of SYN-attack.

2015년 2월 3일 화요일

Firewall for Internet of Things

Intro





** What is a firewall for IoT ?**
- We will compare the traditional method and the proposed method under DoS Attack (SYN-flood attack).

IoT Platform: mbed NXP LPC1768



mbed LPC1768


It is based on the NXP LPC1768, with a 32-bit ARM Cortex-M3 core running at 96MHz. It includes 512KB FLASH, 32KB RAM and lots of interfaces including built-in Ethernet, USB Host and Device, CAN, SPI, I2C, ADC, DAC, PWM and other I/O interfaces. The pinout above shows the commonly used interfaces and their locations. Note that all the numbered pins (p5-p30) can also be used as DigitalIn and DigitalOut interfaces.
- Link1: For more detail


Traditional method: LwIP (TCP/IP software stack) + Ethernet MAC (LPC1768) + Ethernet PHY (DP83848J)@mbed application board (Ethernet connector)



mbed application board
* Feature list
* 128x32 Graphics LCD
* 5 way joystick
* 2 x Potentiometers
* 3.5mm Audio jack (Analog Out)
* Speaker, PWM connected
* 3 Axis /1 1.5g Accelerometer
* 3.5mm Audio jack (Analog In)
* 2x Servo motor headers
* RGB LED, PWM connected
* USB-mini-B Connector
* Temperature sensor
* Socket for for Xbee (Zigbee) or RN-XV (Wifi)
* RJ45 Ethernet Connector
* USB-A Connector
* 1.3mm DC Jack input



Proposed method: WIZ550io (TOE + Ethernet MAC + Ethernet PHY)



WIZ550io
- Link3: WIZ550io components in mbed.org
- Link4: W5500 components in mbed.org

Application for iperf



Recv only code for Software stack




  • fixed an echo server on mbed.



[code lang=cpp]
#include "mbed.h"
#include "EthernetInterface.h"

EthernetInterface eth;
int main()
{
printf("Trying rn");
// as your env. change to real IP address and so on.
int ret = eth.init("192.168.77.34", "255.255.255.0", "192.168.77.1");

if (!ret) {
printf("Initialized, MAC: %snr", eth.getMACAddress());
printf("Connected, IP: %s, MASK: %s, GW: %snr",
eth.getIPAddress(), eth.getNetworkMask(), eth.getGateway());
} else {
printf("Error eth.init() - ret = %dnr", ret);
return -1;
}

eth.connect();
printf("IP Address is %sn", eth.getIPAddress());

TCPSocketServer server;
server.bind(5000);
server.listen();

while (true) {
printf("nWait for new connection...n");
TCPSocketConnection client;
server.accept(client);
client.set_blocking(false, 1500); // Timeout after (1.5)s

printf("Connection from: %sn", client.get_address());

char buffer[2048];
while (true) {
int n = client.receive(buffer, sizeof(buffer));

if (n < 0) break; // !_is_connected

}
client.close();
}
}
[/code]

Recv only code for TOE



[code lang=cpp]
#include <stdio.h>
#include <string.h>
#include "mbed.h"
#include "EthernetInterface.h"


//DigitalOut myled(LED1);
//Serial pc(USBTX , USBRX);
int main() {

printf("Test - WIZ550iorn");

/** Set the spi bus clock frequency
*
* @param hz SCLK frequency in hz (default = 1MHz)
* Maximum SPI data bit rate of 12.5 Mbit/s in LPC176X
*/
spi.frequency(12500000);
SPI spi(p5, p6, p7); // mosi, miso, sclk
EthernetInterface eth(&spi, p8, p11); // spi, cs, reset

// as your env. change to real IP address and so on.
int ret = eth.init("192.168.77.34", "255.255.255.0", "192.168.77.1");
if (!ret) {
printf("Initialized, MAC: %snr", eth.getMACAddress());
printf("Connected, IP: %s, MASK: %s, GW: %snr",
eth.getIPAddress(), eth.getNetworkMask(), eth.getGateway());
} else {
printf("Error eth.init() - ret = %dnr", ret);
return -1;
}

printf("IP Address is %sn", eth.getIPAddress());

TCPSocketServer server;
server.bind(5000);
server.listen();

while (true) {
printf("nWait for new connection...n");
TCPSocketConnection client;
server.accept(client);
client.set_blocking(false, 1500); // Timeout after (1.5)s

printf("Connection from: %sn", client.get_address());

char buffer[2048];
while (true) {
int n = client.receive(buffer, sizeof(buffer));

if (n < 0) break; // !_is_connected
}
client.close();
}
}
[/code]

Comparison of memory Size























Software stack TOE (W5500)
Codes  sw stack codes TOE codes
Memory usage sw memory usage sw memory usage



35.2kB(110%) : The LPC1768 has 3 RAM banks: One general purpose one of 32kB, and two additional ones of 16kB each for Ethernet/USB/CAN purposes. Ethernet completely fills one of those additional banks. The online compiler does take this into account for the total RAM usage, but assumes only 32kB is available, so it gets over the 100% what it displays, still will work fine though. (from mbed.org: http://developer.mbed.org/questions/3579/mbed-LPC-1768-RAM-Usage-128-what-does-th/)


** TOE can reduce the flash and RAM usage of by 7% and 119% respectively. **

DoS Attack (Syn-flood attack)



We used the scapy based on python library for DoS Attack.

[code lang=python]
from scapy.all import

inter = input('inter(time in seconds to wait between 2packets) :')

def synFlood(src, tgt, inter):
IPlayer = IP(src, dst=tgt)
TCPlayer= TCP(sport=3000, dport=3000) # as your env. change source and destination port
pkt = IPlayer / TCPlayer
send(pkt, loop=1, inter=inter) #

#send(pkts, inter=0, loop=0, verbose=None)
# Send packets at layer 3, using the conf.L3socket supersocket. pkts can
# be a packet, an implicit packet or a list of them.
#
# loop: send the packets endlessly if not 0.
# inter: time in seconds to wait between 2 packets
# verbose: override the level of verbosity. Make the function totally silent when 0.
# * Refer to http://www.secdev.org/projects/scapy/files/scapydoc.pdf for more detail.


# as your env. change to real IP address and so on.
src = "192.168.77.253" # PC IP address
tgt = "192.168.77.34" # target board (LPC1768)

synFlood(src, tgt, inter)
[/code]

How to use iperf




Iperf is a tool to measure maximum TCP bandwidth, allowing the tuning of various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, datagram loss




[code lang=text]
# ex.) host IP(192.168.77.34):port[5000], display format is Mbit/sec, interval 1 sec.
>iperf.exe -c 192.168.77.34 -p 5000 -f m -i 1
[/code]


  • -c : --client host, -c will connect to the host specified.

  • -p : --port #, the server port for the server to listen.

  • -f : --format [], 'm' = Mbit/sec

  • -i : --interval #, Sets the interval time in seconds between periodic bandwidth
    Through performance



Network Configuration




  • **Fig. Network configurations to measure performance **
    SW Bandwidth



Network performance




  • Fig. Traditional method: lwIP performance according to traffic of SYN packet
    SW Bandwidth


  • Fig. Proposed method: TOE(W5500) performance according to traffic of SYN packet.
    TOE(W5500) Bandwidth




**The network performance of traditional method is better the proposed method when DoS attack is weak. Because, the traditional method used the bus-interface for MAC. (The proposed method doesn't used spi-dma.)
However, The proposed method kept up the network performance under SYN-flood attack.
Otherwise, the network performance of the traditional method is became extremely worse according to the interval of SYN-attack.
**