What it is about: there are DDoS'es which are hard (if not impossible) to fight with pf(4) and other firewalls (ipfw and ipf).

Example: DNS Flood, which you can either filter (and that accomplishes DDoS) or not (and thus loading your server with unnecessary context switching and data transfer from kernel to userland, both is expensive and should be avoided).

ASPF helps with that establishing pfil(9) hook and doing basic DNS Query validation at kernel level, thus avoiding both context switching and data transfer for packets not passing.

System compatibility: tested on FreeBSD 6 and 7.