What it is about: there are DDoS'es which are hard (if not impossible)
to fight with pf(4) and other firewalls (ipfw and ipf).
Example: DNS Flood, which you can either filter
(and that accomplishes DDoS) or not (and thus loading your server
with unnecessary context switching and data transfer from kernel
to userland, both is expensive and should be avoided).
ASPF helps with that establishing pfil(9) hook and doing basic
DNS Query validation at kernel level, thus avoiding both context
switching and data transfer for packets not passing.
System compatibility: tested on FreeBSD 6 and 7.