The Linux network stack extension for DDoS mitigation and web security

Alexander Krizhanovsky

Back in 2013 we started development of a Web Application Firewall (WAF) on top of one of the widespread HTTP accelerators. That time we realized that modern HTTP accelerators were designed to service normal HTTP requests and don’t suite well for filtering massive HTTP traffic from malicious clients such as DDoS bots. A WAF protecting huge web resources or thousands of small web sites also experiences overloading due to deep analyzing of HTTP and web content.

So we started to develop our own hybrid of HTTP accelerator and a firewall, Tempesta FW, to address the problem of servicing and filtering massive HTTPS traffic. It can be used as standalone web acceleration and protection system as well as a WAF accelerator performing pre-filtering for more advanced WAF. Tempesta FW is an open source Linux kernel module integrated into the Linux TCP/IP stack and implementing rich set of HTTP security features.

Tempesta FW implements HTTPtables, HTTP requests filtering tool which can be used together with nftables to define filtering rules on all network layers on the same time. Strict and flexible HTTP fields verification, HTTP cookies and JavaScript challenges, as well as various rate limits, are also implemented to efficiently block HTTP(S) DDoS and Web attacks.

This talk describes common issues with filtering malicious HTTPS traffic on modern HTTP accelerators, how Tempesta FW solves them, and several low-level topics such as SIMD HTTP strings processing algorithms, but mostly I’ll concentrate on TempestaTLS – a fork of mbedTLS to implement TLS handshakes in the Linux kernel. TempestaTLS cooperates with the TCP/IP stack to send records of optimal size and avoid copying. The handshakes state machine is carefully optimized to provide highest performance. I’ll show performance benchmarks comparing TempestaTLS with OpenSSL in workloads close to real life DDoS attack against TLS handshakes. is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see

Produced by NDV: #linux #foss #opensource

Wed Jan 15 13:30:00 2020 at Arena




Fondateur de summarynetworks, passionné des nouvelles technologies et des métiers de Réseautique , Master en réseaux et système de télécommunications. ,j’ai affaire à Pascal, Delphi, Java, MATLAB, php …Connaissance du protocole TCP / IP, des applications Ethernet, des WLAN …Planification, installation et dépannage de problèmes de réseau informatique……Installez, configurez et dépannez les périphériques Cisco IOS. Surveillez les performances du réseau et isolez les défaillances du réseau. VLANs, protocoles de routage (RIPv2, EIGRP, OSPF.)…..Manipuler des systèmes embarqués (matériel et logiciel ex: Beaglebone Black)…Linux (Ubuntu, kali, serveur Mandriva Fedora, …). Microsoft (Windows, Windows Server 2003). ……Paquet tracer, GNS3, VMware Workstation, Virtual Box, Filezilla (client / serveur), EasyPhp, serveur Wamp,Le système de gestion WORDPRESS………Installation des caméras de surveillance ( technologie hikvision DVR………..). ,

Laisser un commentaire