tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Accept filter semantics (Re: Handling of DOS attacks in NetBSD 5)



On Tue, 4 Jan 2011 14:14:11 -0500
Thor Lancelot Simon <tls%panix.com@localhost> wrote:

> On Tue, Jan 04, 2011 at 09:36:30AM -0700, Sverre Froyen wrote:
> > Hi,
> > 
> > In the past, I have observed DOS attacks where a client connects to
> > port 80 and then leaves the connection open indefinitely. Repeating
> > the process can easily tie up all available http processes.
> > 
> > I recently upgraded several servers to NetBSD 5 and I now observe a
> > slightly modified behavior, presumably because of the accept_filter
> > (9) addtion to the kernel. Instead of http process starvation, I
> > now observe between one and two hundred TCP connections that are in
> > the "ESTABLISHED" state (as reported by netstat -s). Once this
> > happens, the server denies additional HTTP requests.
> 
> There is a problem here: a new socket option is probably required to
> allow the application to set a timeout for conections being processed
> by the accept filter.  But what to do upon timeout?

Does using accept filters offer a dramatic performance improvement? It
seems to me that using accept filters opens up more avenues for DOS
attacks.

Web servers that handle many connections use kernel event notification,
i.e. kqueue, epoll, etc., which don't really need accept filters, do
they? Apache is probably the only web server that might benefit from
them.


Home | Main Index | Thread Index | Old Index