DESCRIPTION

     One of common patterns of modern DDoS is as simple as "flood application
     with garbadge traffic until it not able to process such amounts".  And,
     while some of these attacks can be eliminated with the help of firewalls,
     others can not. Example of that attack is garbage traffic destined to udp
     port 53 of your DNS server - of course, you can filter it with pf(4), but
     then your DNS server just will not receive valid questions and it can be
     considered as 'DDoS accomplished', your valid customers will not be able
     to find your service ip address...  Or you can pass this traffic to DNS
     server, thus involving switching contexts from kernel to application and
     copying data from kernel space to user space, but both operations is
     expensive and better to be avoided.  Especially in case of packets, which
     will fail input validation on application and just dropped.

     The aspf is designed to help alleviate this problem.  aspf utilizes
     pfil(9) infrastructure to set up basic validation filters on kernel level
     (thus avoiding both context switching and data copying).

     For now (27 Oct 2008), only DNS Query filtering implemented, and only for
     IPv6 (ipv6 and some other UDP-based protocols are in plan).

DNS Query Filtering

     Order of Operations: each packet destined to udp port 53 considered DNS
     Query and checked to conform RFC 1034, using following rules:

     DNS Query size must be in range 12..512 bytes, inclusive.

     Answer flag must not be set.

     Opcode must be one of Query (0), Status (2), Notify (4) or Update (5).

     RCode must not be set.

     Query section must contain at least one Queries.

     Answer section must contain no RR's.

     Authority section must contain no RR's.

     If any of these conditions fail - packet considered 'invalid' and dropped
     at kernel level.

     Note that Additional Section is not checked - it can be used in Queries
     to pass EDNS0/DNSSEC options.

SYSCTL VARIABLES

     There are some sysctl variables that can be used to tune ASPF behaviour:

     net.inet.aspf.enable: 1
             Allows to disable or enable ASPF on the fly.


     net.inet.aspf.dnsq_ok:
             Total number of packets passed DNS Query validation

     net.inet.aspf.dnsq.authsec:
             Packets failed DNS Query validation due to RRs in Authority Sec-
             tion.

     net.inet.aspf.dnsq.answersec:
             Packets failed DNS Query validation due to RRs in Answer Section.

     net.inet.aspf.dnsq.answersec:
             Packets failed DNS Query validation due to no RRs in Query sec-
             tion.

     net.inet.aspf.dnsq.answersec:
             Packets failed DNS Query validation due to non-zero RCode.

     net.inet.aspf.dnsq.opcode:
             Packets failed DNS Query validation due to invalid opcode.

     net.inet.aspf.dnsq.answer:
             Packets failed DNS Query validation due to Answer bit set.

     net.inet.aspf.dnsq.badsize:
             Packets failed DNS Query validation due to invalid size.

BUGS

     Who knows. None found (yet?). Use at your own risk...

AUTHOR

     Alexandre Snarskii, <snar@snar.spb.ru>

                                 Oct 27, 2008