tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Patch: accept filters for NetBSD



On Tue, Jan 29, 2008 at 10:17:11AM -0700, Sverre Froyen wrote:
> > Yes, as you quoted above, I understand one motivation may be
> > performance.
> >
> > Are there any benchmarks done on ~current NetBSD? :)
> 
> My understanding is that the dataready filter can be used to prevent the type 
> of DoS attack that I inquired about in
> 
>       http://mail-index.netbsd.org/netbsd-help/2005/01/10/0005.html
> 
> and where the attacker ties up all available httpd processes on a server.  
> This obviously helps server performance but may be difficult to quantify in a 
> benchmark.

If the ``dataready'' filter isn't application specific, you could probably
perform a similar attack by sending a partial HTTP request, though I'm
assuming that ``dataready'' just means accept() won't return until N bytes
of data exist in the receive queue.

A better way to stop the attack described in the referenced post would
probably be with pf(4) and source-track / max-src-states.

J.

-- 
Jason V. Miller



Home | Main Index | Thread Index | Old Index