One of common patterns of modern DDoS is as simple as "flood application
with garbadge traffic until it not able to process such amounts". And,
while some of these attacks can be eliminated with the help of firewalls,
others can not. Example of that attack is garbage traffic destined to udp
port 53 of your DNS server - of course, you can filter it with pf(4), but
then your DNS server just will not receive valid questions and it can be
considered as 'DDoS accomplished', your valid customers will not be able
to find your service ip address... Or you can pass this traffic to DNS
server, thus involving switching contexts from kernel to application and
copying data from kernel space to user space, but both operations is
expensive and better to be avoided. Especially in case of packets, which
will fail input validation on application and just dropped.
The aspf is designed to help alleviate this problem. aspf utilizes
pfil(9) infrastructure to set up basic validation filters on kernel level
(thus avoiding both context switching and data copying).
For now (27 Oct 2008), only DNS Query filtering implemented, and only for
IPv6 (ipv6 and some other UDP-based protocols are in plan).
DNS Query Filtering
Order of Operations: each packet destined to udp port 53 considered DNS
Query and checked to conform RFC 1034, using following rules:
DNS Query size must be in range 12..512 bytes, inclusive.
Answer flag must not be set.
Opcode must be one of Query (0), Status (2), Notify (4) or Update (5).
RCode must not be set.
Query section must contain at least one Queries.
Answer section must contain no RR's.
Authority section must contain no RR's.
If any of these conditions fail - packet considered 'invalid' and dropped
at kernel level.
Note that Additional Section is not checked - it can be used in Queries
to pass EDNS0/DNSSEC options.
There are some sysctl variables that can be used to tune ASPF behaviour:
Allows to disable or enable ASPF on the fly.
Total number of packets passed DNS Query validation
Packets failed DNS Query validation due to RRs in Authority Sec-
Packets failed DNS Query validation due to RRs in Answer Section.
Packets failed DNS Query validation due to no RRs in Query sec-
Packets failed DNS Query validation due to non-zero RCode.
Packets failed DNS Query validation due to invalid opcode.
Packets failed DNS Query validation due to Answer bit set.
Packets failed DNS Query validation due to invalid size.
Who knows. None found (yet?). Use at your own risk...
Alexandre Snarskii, <firstname.lastname@example.org>
Oct 27, 2008
Man(1) output converted with