tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Accept filter semantics (Re: Handling of DOS attacks in NetBSD 5)



On Tue, Jan 04, 2011 at 11:28:32PM +0000, Sad Clouds wrote:
> Does using accept filters offer a dramatic performance improvement? It
> seems to me that using accept filters opens up more avenues for DOS
> attacks.

Yes, they do.

> Web servers that handle many connections use kernel event notification,
> i.e. kqueue, epoll, etc., which don't really need accept filters, do
> they? Apache is probably the only web server that might benefit from
> them.

You are mixing up two completely separate issues. Accept filters for
HTTP allow ensuring serving traffic with four syscalls per request
(ignoring keep alive): accept, read, write, close. The accept filter
ensures that the read doesn't have to loop.

Joerg


Home | Main Index | Thread Index | Old Index