Linux Piter 2017 / Alexander Krizhanovsky: "Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation" / Saint Petersburg, Russia / 3 November 2017 - 4 November 2017

Linux Piter 2017

3 November 2017 (Fri), 10:00 - 4 November 2017 (Sat), 19:00

Alexander Krizhanovsky: "Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation"

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation
Application layer HTTP DDoS attacks are usually mitigated by HTTP accelerators or HTTP load balancers. However, Linux socket interface used by the software doesn't provide
reasonable performance for extreme loads caused by DDoS attacks.
HTTP servers based on user space TCP/IP stacks are becoming popular due to their better performance. However, TCP/IP stack is basically huge and complex code, so it's not wise to implement and run it twice in user and kernel spaces. Next, kernel TCP/IP stack is well integrated with many powerful tools like IPTables, IPVS, tc, tcpdump and many others. The tools are unavailable for a user space TCP/IP stack or require complex interfaces. 
This talk describes Tempesta FW [1] which introduces HTTPS processing to the kernel. HTTPS is built into Linux TCP/IP stack. As an HTTP firewall, Tempesta FW implements reach set of rate limits and heuristics to defend against HTTPS floods, Slow HTTP and several Web attacks. Also HTTP cookie challenge is implemented, JavaScript challenge and several other more advanced DDoS mitigation techniques are in development now.
Due to popularity of TLS handshake DDoS attacks, it makes sense to perform TLShandshake in the kernel to be able to establish TLS connections as soon as possible.
While TLS is a very complex code, it doesn't require complex locking, advanced memory management and so on. It only took 1 human month for us to move TLS [2] with all necessary HTTPS interfaces to the kernel. Thus, it's easier to move TLS to the kernel than than it is to move TCP/IP stack to user space.
To reduce the amount of HTTP processing logic in the kernel we propose efficient zero-copy kernel-user space transport for HTTP messages. For example, HTTP compression, which isn't crucial for HTTP operation, is considered to be implemented in user-space using the transport.
Tempesta FW's benchmarks [3] show that it processes HTTP messages as quickly as an HTTP server using user space TCP/IP. Thus, bypassing Linux TCP/IP isn’t the only way to get a fast Web server. 
[1]. Tempesta FW's source code,
[2]. mbed TLS,

Alexander Krizhanovsky
USA. Seattle
Tempesta Technologies Inc.
Alexander is founder and CEO at Tempesta Technologies Inc and lead developer of Tempesta FW. He's also CEO and founder of NatSys Lab., a company providing
consultancy in high performance computing in Linux/x86-64 environment. Alexander has more than 10 years of experience in Linux kernel development.
Add to calendar
Linux Pyter will be colocated with Piter Py conference. Participants of any conference can attend the talks of both conferences.
General sponsor
Travel partners
Video partner
Informational partners
Event in socials
По вопросам участия
Диана Любавская
По вопросам выступления
Ирина Сарибекова
Обсудить свой доклад
Программный комитет конференции


You've successfully subscribed for news.