Handling of DOS attacks in NetBSD 5

[Sverre Froyen <sverre%viewmark.com@localhost>]

Hi,

In the past, I have observed DOS attacks where a client connects to port 80 
and then leaves the connection open indefinitely. Repeating the process can 
easily tie up all available http processes.

I recently upgraded several servers to NetBSD 5 and I now observe a slightly 
modified behavior, presumably because of the accept_filter(9) addtion to the 
kernel. Instead of http process starvation, I now observe between one and two 
hundred TCP connections that are in the "ESTABLISHED" state (as reported by 
netstat -s). Once this happens, the server denies additional HTTP requests.

Here's a small fragment of a "netstat -an" output:

tcp        0      0  x.x.x.x.80      x.x.x.x.3225     ESTABLISHED
tcp        0      0  x.x.x.x.80      x.x.x.x.3220     ESTABLISHED
tcp        0      0  x.x.x.x.80      x.x.x.x.3219     ESTABLISHED
tcp        0      0  x.x.x.x.80      x.x.x.x.3211     ESTABLISHED
tcp        0      0  x.x.x.x.80      x.x.x.x.3205     ESTABLISHED
tcp        0      0  x.x.x.x.80      x.x.x.x.3200     ESTABLISHED
tcp        0      0  x.x.x.x.80      x.x.x.x.3196     ESTABLISHED

Is there a way to terminate such a bogus connection individually? I notice 
that "apachectl restart" leaves them open, whereas "apachectl stop" clears 
them.

How can I adjust the number of connections that the kernel allows? What is the 
resource use per connection? I'm thinking that if I could increase the limit 
by, say, a hundredfold, I could turn it into a nuisance rather than an 
emergency.

Any other thoughts?

Thanks,
Sverre