Tempesta FW is an all-in-one open-source solution for high performance web content delivery and advanced protection against DDoS and web attacks. This is a drop-in-replacement for the whole web server frontend infrastructure: an HTTPS load balancer, a web accelerator, a DDoS mitigation system, and a web application firewall (WAF).
Tempesta FW is the first and only hybrid of a Web accelerator and a multi-layer firewall. This unique architecture provides efficient blocking of any malicious traffic and outstanding performance of web applications in normal operation. The architecture is the result of collecting and application of state-of-the-art research and cutting edge technologies.
Tempesta FW services up to 1.8M HTTP requests per second on the cheapest hardware. The benchmark results are open and can be easily proven. Our performance results are beyond the reach of other modern web accelerators.
Tempesta FW uses TempestaDB, a very fast in-memory database, to serve as a web cache.
While most modern web accelerators are unable to pipeline HTTP requests, Tempesta FW can pipeline HTTP requests utilizing backed server connections more efficiently.
A performance optimized fork of proven mbedTLS library is used to offload TLS encryption from your servers and efficiently mitigate TLS handshake DDoS attacks.
Tempesta FW uses machine learning to dynamically learn and predict changes in the performance and the availability of each of your backend servers. There is no need to configure and maintain many different weights in your web cluster!Also Tempesta FW provides reach set of traditional load balancing strategies such as persistent sessions, complex conditional statements over almost any set of HTTP request fields, weighted round-robin, rendezvous hashing.
Tempesta FW is a hybrid of web accelerator, load balancer, and application layer firewall. It analyzes HTTP traffic immediately as it arrives to a network adapter. Any malicious traffic is dropped early at the IP layer saving system resource for really useful work.
Tempesta FW provides the Frang module for fine-grained HTTP filtering to protect against various types of HTTP DDoS and web attacks.
A sticky cookie module provides unique identification of each client and efficiently challenges DDoS bots.
Tempesta FW dynamically monitors upstream server performance and using machine learning algorithms predicts how that performance will change in the near future. Adaptive load balancing leverages that data to forward client requests to the server that has, or is expected to have, the smallest workload.
Tempesta FW measures the delays between when client requests are forwarded to the upstream server and the server response. That data is collected and analyzed, so system administrators can monitor online statistics for each backend server.
Tempesta FW is designed to deliver the highest performance in HTTP processing under various workloads. High performance servicing of unusual traffic is crucial for resistance against complex DDoS attacks, including targeted DDoS attacks. Most types of HTTP floods can be mitigated without any configuration effort thanks to the fast processing engine.
How the results were achievedThe core of HTTP processing is the fastest HTTP parser. Tempesta FW uses the full power of modern x86-64 instruction set along with the new algorithms for fast HTTP strings processing. A highly optimized in-memory database using the new CPU cache-conscious data structure services the web cache. Tempesta FW works as a part of Linux TCP/IP stack eliminating traditional I/O queues, context switches and copyings. Advanced techniques working with packet fragments are used to adjust HTTP headers in zero-copy fashion. A special high-efficient inter-CPU transport is used to proxy network packets among TCP sockets with minimal inter-CPU traffic. All the things combined make the most efficient web accelerator and HTTP filter. Our Wiki page describes details on the benchmark, so you can reproduce the results for yourself.
More about high performance HTTP processingTempesta FW is built into the Linux TCP/IP stack for better and more stable performance relative to most modern HTTP accelerators and load balancers. This unique technology makes HTTP filtering almost as fast as the filtering at IP layer. Meantime, normal HTTP requests are serviced immediately, without overheads in queues, context switches, and without any need to make copies. Not only that, but it provides the same user experience as traditional web accelerators and HTTP loadbalancers in normal Linux installations. It can be installed in almost any server and is easier to use than the average hardware appliance. Unlike web servers built on top of user-space TCP/IP stacks (e.g. using DPDK, Netmap etc.), you can use standard Linux tools like IPTables, tc, LVS, and tcpdump to manage HTTP traffic without making many data copies. Our Netdev 2.1 paper discusses issues with modern web accelerators and describes Tempesta FW's design. The presentation, also available at the link, addresses several unique technologies and algorithms for high performance HTTP protocol processing and proxying.
TempestaDB was designed to store a web cache and filter rules. However, it provides a common user-space interfaces for persistent key-value data storage, which can be then accessed from web applications. The tdbq user-space tool modifies and queries stored data.
The libtdb library provides access to the database from user space so you can use TempestaDB as an embedded database. Unlike traditional embedded databases, TempestaDB can be used by many processes concurrently. As a result of that, the database has much lower overhead for data transport than client-server databases.
More about TempestaDBThe database employs a number of cutting-edge technologies such as cache-conscious lock-free burst hash trie for the index, NUMA-aware records distribution and replication, huge pages, zero-copy data transport between users and kernel spaces, and SSE4.2 instruction set of x86-64. The usage of hardware transactional memory is considered for further releases. Watch our presentation Linux Kernel Extension for Databases from Percona Live 2016 to learn mode about TempestaDB design, motivation and further directions in the database development.