conferences | speakers | series

Tempesta FW

home

Tempesta FW
FOSDEM 2017

Tempesta FW is a high performance open source Linux application delivery controller (ADC). The project is built into the Linux TCP/IP stack to get maximum performance for normal Web content delivery and efficient traffic filtering for volumetric DDoS mitigation.

I'll start by considering a simple example of how to build an ADC using traditional open source software. I'll describe drawbacks of the approach and why we started Tempesta FW's development. Next I'll go into the project internals and conclude the presentation with Tempesta FW performance benchmarks and several examples.

Application delivery controllers (ADCs) are typically hardware appliances that accelerate Web content delivery, intelligently balance loads among upstream servers, employ QoS and traffic shaping to efficiently and elegantly mitigate DDoS on all network layers, and provide Web application firewalling and application performance monitoring. However, it seems there are no open source projects that are able to perform these tasks with comparable performance and accuracy.

In this presentation I'll describe Tempesta FW - a high performance, open source Linux application delivery controller. The project is built into the Linux TCP/IP stack to get maximum performance for normal Web content delivery and efficient traffic filtering for volumetric DDoS mitigation.

I'll start by considering a simple example of an installation of Nginx, Fail2Ban, and IPtables. Alternative configurations containing other open source projects will be covered as well. I'll describe why such configurations usually do a poor job, and why we started Tempesta FW's development.

Next I'll describe how Tempesta FW services HTTP requests, and how the HTTP layer works with low-layer filter logic. There are several HTTP load-balancing strategies, including flexible distribution of requests by almost any HTTP field and predictive strategy by monitoring application performance. Several technologies at the basis of Tempesta FW's performance will also be covered:

  • Linux TCP/IP stack optimizations for efficient HTTP proxying

  • stateless HTTP parsing and using AVX2 instruction set to efficiently process HTTP strings

  • lightweight in-memory database, TempestaDB, based on a cache-conscious lock-free data structure used for servicing a web cache

I'll conclude with Tempesta FW performance benchmarks and show several installation and configuration examples.

Speakers: Alexander Krizhanovsky