Linux kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation

Want to visit   +54

Author: Alexander Krizhanovsky

The talk describes an extension of the Linux TCP/IP stack, so that HTTPS works in the same stack with TCP and IP. Application-layer HTTP DDoS attacks are usually mitigated by HTTP accelerators or HTTP load balancers. However, Linux socket interface used by the software doesn't provide reasonable performance for extreme loads caused by DDoS attacks. HTTP servers based on user space TCP/IP stacks are becoming popular due to their better performance, but TCP/IP stacks are huge and complex code, so it's not wise to implement and run it twice in user and kernel spaces. Kernel TCP/IP stack is well integrated with many powerful tools like IPTables, IPVS, tc, tcpdump that are unavailable for a user space TCP/IP stack or require complex interfaces. The speaker will present Tempesta FW, which introduces HTTPS processing to the kernel. HTTPS is built into the Linux TCP/IP stack. As an HTTP firewall, Tempesta FW implements a set of rate limits and heuristics to defend against HTTPS floods and Slow HTTP attacks.

  • Language
  • Russian

CEO at Tempesta Technologies and lead developer of Tempesta FW, a Linux application delivery controller. Founder and CEO of NatSys Lab., a company providing consultancy and custom software development in high performance network traffic processing and databases. Responsible for architecture and performance of several products in network traffic processing and database areas.

Alexander Krizhanovsky Alexander Krizhanovsky

Back to the list