[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Patch: accept filters for NetBSD
On Tue, Jan 29, 2008 at 10:17:11AM -0700, Sverre Froyen wrote:
> > Yes, as you quoted above, I understand one motivation may be
> > performance.
> > Are there any benchmarks done on ~current NetBSD? :)
> My understanding is that the dataready filter can be used to prevent the type
> of DoS attack that I inquired about in
> and where the attacker ties up all available httpd processes on a server.
> This obviously helps server performance but may be difficult to quantify in a
If the ``dataready'' filter isn't application specific, you could probably
perform a similar attack by sending a partial HTTP request, though I'm
assuming that ``dataready'' just means accept() won't return until N bytes
of data exist in the receive queue.
A better way to stop the attack described in the referenced post would
probably be with pf(4) and source-track / max-src-states.
Jason V. Miller
Main Index |
Thread Index |