tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Patch: accept filters for NetBSD

On Tue, Jan 29, 2008 at 10:17:11AM -0700, Sverre Froyen wrote:
> > Yes, as you quoted above, I understand one motivation may be
> > performance.
> >
> > Are there any benchmarks done on ~current NetBSD? :)
> My understanding is that the dataready filter can be used to prevent the type 
> of DoS attack that I inquired about in
> and where the attacker ties up all available httpd processes on a server.  
> This obviously helps server performance but may be difficult to quantify in a 
> benchmark.

If the ``dataready'' filter isn't application specific, you could probably
perform a similar attack by sending a partial HTTP request, though I'm
assuming that ``dataready'' just means accept() won't return until N bytes
of data exist in the receive queue.

A better way to stop the attack described in the referenced post would
probably be with pf(4) and source-track / max-src-states.


Jason V. Miller

Home | Main Index | Thread Index | Old Index