TEMPESTA FW

Tempesta FW is an all-in-one open-source solution for high performance web content delivery and advanced protection against DDoS and web attacks. This is a drop-in-replacement for the whole web server frontend infrastructure: a HTTP load balancer, a web accelerator, a DDoS mitigation system, and a web application firewall (WAF).

Tempesta FW is the first and only hybrid of a Web accelerator and a multi-layer firewall. This unique architecture provides efficient blocking of any malicious traffic and outstanding performance of web applications in normal operation. The architecture is the result of collecting and application of state-of-the-art research and cutting edge technologies.

Tempesta FW services up to 1.8M HTTP requests per second on the cheapest hardware. The benchmark results are open and can be easily proven. Our performance results are beyond the reach of other modern web accelerators.

FEATURES

Web acceleration

Tempesta FW uses TempestaDB, a very fast in-memory database, to serve as a web cache.

While most modern web accelerators are unable to pipeline HTTP requests, Tempesta FW can pipeline HTTP requests utilizing backed server connections more efficiently.

A performance optimized fork of proven mbedTLS library is used to offload TLS encryption from your servers and efficiently mitigate TLS handshake DDoS attacks.

Load balancing

Tempesta FW uses machine learning to dynamically learn and predict changes in the performance and the availability of each of your backend servers. There is no need to configure and maintain many different weights in your web cluster!

Also Tempesta FW provides reach set of traditional load balancing strategies such as persistent sessions, complex conditional statements over almost any set of HTTP request fields, weighted round-robin, rendezvous hashing.

Web security

Tempesta FW is a hybrid of web accelerator, load balancer, and application layer firewall. It analyzes HTTP traffic immediately as it arrives to a network adapter. Any malicious traffic is dropped early at the IP layer saving system resource for really useful work.

Tempesta FW provides the Frang module for fine-grained HTTP filtering to protect against various types of HTTP DDoS and web attacks.

A sticky cookie module provides unique identification of each client and efficiently challenges DDoS bots.

Application performance monitoring

Tempesta FW dynamically monitors upstream server performance and using machine learning algorithms predicts how that performance will change in the near future. Adaptive load balancing leverages that data to forward client requests to the server that has, or is expected to have, the smallest workload.

Tempesta FW measures the delays between when client requests are forwarded to the upstream server and the server response. That data is collected and analyzed, so system administrators can monitor online statistics for each backend server.

PERFORMANCE

Tempesta FW is designed to deliver the highest performance in HTTP processing under various workloads. High performance servicing of unusual traffic is crucial for resistance against complex DDoS attacks, including targeted DDoS attacks. Most types of HTTP floods can be mitigated without any configuration effort thanks to the fast processing engine.

How the results were achieved

HOW IT WORKS

  1. The IP packet is received by the network adapter and quickly verified against filtering tables.
  2. The HTTP request is immediately parsed in OS's deferred interrupt while the data is still hot in CPU caches.
  3. The request is analyzed by Frang module responsible for detection of HTTP DDoS and web attacks. If the request is classified as malicious, then the attacker is blocked at IP layer and all subsequent requests from them are blocked at step 1.
  4. Otherwise the request is serviced from the cache or forwarded to an upstream server according to the established load balancing policy. The web cache and filtering database are built on top of TempestaDB.
Tempesta FW archtecture

More about high performance HTTP processing

TEMPESTA DATABASE

TempestaDB was designed to store a web cache and filter rules. However, it provides a common user-space interfaces for persistent key-value data storage, which can be then accessed from web applications. The tdbq user-space tool modifies and queries stored data.

The libtdb library provides access to the database from user space so you can use TempestaDB as an embedded database. Unlike traditional embedded databases, TempestaDB can be used by many processes concurrently. As a result of that, the database has much lower overhead for data transport than client-server databases.

More about TempestaDB

DEPLOYMENT

High availability

The reliability of a web cluster is extremely important. Please check the Wiki page for scenarios of highly available Tempesta FW installations.

Clouds

Tempesta FW can be deployed in clouds as well as on bare metal. You can learn more about cloud installation in our Wiki.

Installation

You can install Tempesta FW from sources or prebuilt packages. System requirements can be found on our Wiki.