Presented by

  • Alexander Krizhanovsky

    Alexander Krizhanovsky
    @a_krizhanovsky
    https://natsys-lab.blogspot.com/

    Alexander is the CEO of Tempesta Technologies, Inc., and is the architect of Tempesta FW, a high performance open source hybrid of web accelerator and firewall efficiently filtering application layer DDoS attacks and web attacks. Alexander is responsible for the design and performance of several products in the areas of network traffic processing and databases. He designed the core architecture of a Web application firewall, mentioned in the Gartner Magic Quadrant, and MariaDB system versioning.

Abstract

Back in 2013 we started development of a Web Application Firewall (WAF) on top of one of the widespread HTTP accelerators. That time we realized that modern HTTP accelerators were designed to service normal HTTP requests and don't suite well for filtering massive HTTP traffic from malicious clients such as DDoS bots. A WAF protecting huge web resources or thousands of small web sites also experiences overloading due to deep analyzing of HTTP and web content. So we started to develop our own hybrid of HTTP accelerator and a firewall, Tempesta FW, to address the problem of servicing and filtering massive HTTPS traffic. It can be used as standalone web acceleration and protection system as well as a WAF accelerator performing pre-filtering for more advanced WAF. Tempesta FW is an open source Linux kernel module integrated into the Linux TCP/IP stack and implementing rich set of HTTP security features. Tempesta FW implements HTTPtables, HTTP requests filtering tool which can be used together with nftables to define filtering rules on all network layers on the same time. Strict and flexible HTTP fields verification, HTTP cookies and JavaScript challenges, as well as various rate limits, are also implemented to efficiently block HTTP(S) DDoS and Web attacks. This talk describes common issues with filtering malicious HTTPS traffic on modern HTTP accelerators, how Tempesta FW solves them, and several low-level topics such as SIMD HTTP strings processing algorithms, but mostly I'll concentrate on TempestaTLS - a fork of mbedTLS to implement TLS handshakes in the Linux kernel. TempestaTLS cooperates with the TCP/IP stack to send records of optimal size and avoid copying. The handshakes state machine is carefully optimized to provide highest performance. I'll show performance benchmarks comparing TempestaTLS with OpenSSL in workloads close to real life DDoS attack against TLS handshakes.