Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation
Application layer HTTP DDoS attacks are usually mitigated by HTTP accelerators or HTTP load balancers. However, Linux socket interface used by the software doesn't provide
reasonable performance for extreme loads caused by DDoS attacks.
HTTP servers based on user space TCP/IP stacks are becoming popular due to their better performance. However, TCP/IP stack is basically huge and complex code, so it's not wise to implement and run it twice in user and kernel spaces. Next, kernel TCP/IP stack is well integrated with many powerful tools like IPTables, IPVS, tc, tcpdump and many others. The tools are unavailable for a user space TCP/IP stack or require complex interfaces.
Due to popularity of TLS handshake DDoS attacks, it makes sense to perform TLShandshake in the kernel to be able to establish TLS connections as soon as possible.
While TLS is a very complex code, it doesn't require complex locking, advanced memory management and so on. It only took 1 human month for us to move TLS  with all necessary HTTPS interfaces to the kernel. Thus, it's easier to move TLS to the kernel than than it is to move TCP/IP stack to user space.
To reduce the amount of HTTP processing logic in the kernel we propose efficient zero-copy kernel-user space transport for HTTP messages. For example, HTTP compression, which isn't crucial for HTTP operation, is considered to be implemented in user-space using the transport.
Tempesta Technologies Inc.
Alexander is founder and CEO at Tempesta Technologies Inc and lead developer of Tempesta FW. He's also CEO and founder of NatSys Lab., a company providing
consultancy in high performance computing in Linux/x86-64 environment. Alexander has more than 10 years of experience in Linux kernel development.