[ENG] Alexander Krizhanovsky: "Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation"

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation

Application layer HTTP DDoS attacks are usually mitigated by HTTP accelerators or HTTP load balancers. However, Linux socket interface used by the software doesn't provide
reasonable performance for extreme loads caused by DDoS attacks.
HTTP servers based on user space TCP/IP stacks are becoming popular due to their better performance. However, TCP/IP stack is basically huge and complex code, so it's not wise to implement and run it twice in user and kernel spaces. Next, kernel TCP/IP stack is well integrated with many powerful tools like IPTables, IPVS, tc, tcpdump and many others. The tools are unavailable for a user space TCP/IP stack or require complex interfaces.
This talk describes Tempesta FW [1] which introduces HTTPS processing to the kernel. HTTPS is built into Linux TCP/IP stack. As an HTTP firewall, Tempesta FW implements reach set of rate limits and heuristics to defend against HTTPS floods, Slow HTTP and several Web attacks. Also HTTP cookie challenge is implemented, JavaScript challenge and several other more advanced DDoS mitigation techniques are in development now.
Due to popularity of TLS handshake DDoS attacks, it makes sense to perform TLShandshake in the kernel to be able to establish TLS connections as soon as possible.
While TLS is a very complex code, it doesn't require complex locking, advanced memory management and so on. It only took 1 human month for us to move TLS [2] with all necessary HTTPS interfaces to the kernel. Thus, it's easier to move TLS to the kernel than than it is to move TCP/IP stack to user space.
To reduce the amount of HTTP processing logic in the kernel we propose efficient zero-copy kernel-user space transport for HTTP messages. For example, HTTP compression, which isn't crucial for HTTP operation, is considered to be implemented in user-space using the transport.
Tempesta FW's benchmarks [3] show that it processes HTTP messages as quickly as an HTTP server using user space TCP/IP. Thus, bypassing Linux TCP/IP isn’t the only way to get a fast Web server.
[1]. Tempesta FW's source code, https://github.com/tempesta-tech/tempesta
[2]. mbed TLS, https://tls.mbed.org/
[3]. https://github.com/tempesta-tech/tempesta/wiki/HTTP-cache-performance

++++++++++++++++

Alexander Krizhanovsky
USA. Seattle
CEO
Tempesta Technologies Inc.
Alexander is founder and CEO at Tempesta Technologies Inc and lead developer of Tempesta FW. He's also CEO and founder of NatSys Lab., a company providing
consultancy in high performance computing in Linux/x86-64 environment. Alexander has more than 10 years of experience in Linux kernel development.

++++++++++++++++

Linux Piter 2017
http://LinuxPiter.com
https://it-events.com/events/9745

Follow us
Vk: https://vk.com/linuxpiter
Facebook: https://www.facebook.com/LinuxPiterConf/
Twitter: https://twitter.com/LinuxPiter

#LinuxPiter

++++++++++++++++

Organizers:

IT-Events:
http://it-events.com

IT-Dominanta:
http://www.it-dominanta.com

++++++++++++++++

General Sponsors

DELL EMC:
http://russia.emc.com

++++++++++++++++
Sponsors
Virtuozzo: https://virtuozzo.com
Yadro: https://yadro.com/