Tempesta FW

Tempesta® FW is an all-in-one open-source solution

For high performance web content delivery and advanced protection against DDoS and web attacks.

Tempesta FW is a drop-in replacement for an entire web server frontend infrastructure: an HTTPS load balancer, a web accelerator, a DDoS mitigation system, and a web application firewall (WAF).

Tempesta FW is the first and only hybrid of a Web accelerator and a multi-layer firewall. This unique architecture provides efficient blocking of any malicious traffic and outstanding performance of web applications in normal operation. The architecture is the result of collecting and application of state-of-the-art research and cutting edge technologies.

Tempesta FW services up to 1.8M HTTP requests per second on the cheapest hardware. The benchmark results are open and easily reproducible. Our performance results go beyond other modern web accelerators metrics.

Watch the Tempesta FW demo in the Security Weekly show – Fast And Secure Web.

HowTo start quickly with Tempesta FW

DDoS mitigation and bots protection

The core of Tempesta FW is a scalable and ultra-fast network processing engine designed to handle tons of malicious traffic. The multi-layer rule-based and adaptive filtration facilities efficiently mitigate modern large DDoS attacks.

Application layer DDoS

Tempesta FW provides out-of-the-box rich rate limits, various challenges and adaptive QoS to guarantee good user experience during an attack and mitigate DDoS attacks such as slow HTTP, HTTP flood, iFrames, web cache bypass, targeted DDoS attacks, etc.

Volumetric DDoS

Tempesta FW works in the Linux kernel space, so it natively integrates with XDP to drop volumetric attacks on early packet processing stage or even on NIC using offloaded rules. Check our development services if you need a custom XDP module.

Bots protection

Tempesta FW automatically fingerprints and distinguishes web clients on all network layers. The fingerprinted client accounting information is available for an application custom code. Our team develops custom bots protection logic using the Tempesta FW classification engine.

Application security

We developed the fastest HTTP parser technology , which allows Tempesta FW not only process millions HTTP requests per second, but also do thousands of security checks right during HTTP parsing. Various injection attacks, including XSS and SQL injections, password crackers, HTTP requests smuggling and response splitting, cache poisoning and many others are filtered out at a speed larger than traditional web accelerators can parse HTTP messages.

WAF acceleration

Tempesta FW is a hybrid of web accelerator, load balancer, and application layer firewall. It analyzes HTTP traffic immediately as it arrives at a network adapter. Any malicious traffic is dropped early at the IP layer thus saving system resources for really useful work. You can read more about the use case in our knowledge base or blog post.

Web acceleration

Tempesta FW uses a very fast ultra-scalable in-memory database Tempesta DB to handle a web cache.

Tempesta DB

The database employs a number of cutting-edge technologies such as cache-conscious lock-free burst hash trie for the index, NUMA-aware records distribution and replication, huge pages, zero-copy interfaces, and SIMD x86-64 extensions.

The concepts of the database were firstly presented in our talk Linux Kernel Extension for Databases on Percona Live 2016. The burst hash trie was presented on CppCon 2022 in talk Scalable and low latency lock-free data structures.

Load balancing

Tempesta FW provides a rich set of load balancing strategies such as persistent sessions, complex conditional statements over almost any set of HTTP request fields, weighted round-robin, rendezvous hashing, etc. Tempesta FW also uses machine learning to dynamically learn and predict changes in the performance and the availability of each of your backend servers, so there is no need to configure and maintain many different weights in your web cluster!

Application performance monitoring

Tempesta FW dynamically monitors upstream server performance and provides a comprehensive set of performance metrics. Application availability can be monitored using passive or active health monitoring techniques. Load balancing logic is integrated with the health and performance monitoring and dynamically changes traffic distribution among the upstream servers.

HTTP tables

HTTP tables is an extension of standard Linux iptables, nftables and/or bpfilter for the network application layer, HTTP(S) protocol in particular. You can write multi-layer network filtration rules using Tempesta FW HTTP tables, e.g. filter all HTTP requests from a particular IP with a particular HTTP header. Learn more about HTTP tables in our knowledge base.

TLS termination

Tempesta TLS extends the Linux TCP/IP stack with the TLS protocol, so it avoids context switches unavoidable for traditional user space libraries and constructs TLS records in the most efficient way using the current TCP state data. Tempesta TLS also employs the modern asymmetric cryptography research and advanced zero-copy techniques. This all allows Tempesta FW to establish x2 more handshakes with x4 lower latency than Nginx using OpenSSL or WolfSSL libraries. TLS handshakes rate limiting efficiently mitigates TLS handshakes DDoS attacks.

Performance

Tempesta FW is designed to deliver the highest performance in HTTP processing under various workloads. High performance servicing of unusual traffic is crucial for resistance against complex DDoS attacks, including targeted DDoS attacks. Most types of HTTP floods can be mitigated without any configuration effort thanks to the fast processing engine.

How it works

Tempesta FW is embedded into the Linux TCP/IP stack and works in the kernel space, but administered from the user space just like any traditional web accelerators.

1. An administrator starts, stops and configure Tempesta FW just like any traditional user space HTTP accelerator.
2. HTTP tables and the Linux firewall engine Netfilter communicate using packets marking to express multi-layer network filtering rules.
3. DDoS attack, web attacks and bots are blocked by the HTTP tables and rate limiting rules, JavaScript and cookie challenges and dynamic classification logic.
4. Normal user requests are load balanced among upstream servers.
5. Server responses are stored in the web cache and returned to the user.

Deployment

High availability
The reliability of a web cluster is extremely important. Please check the Wiki page for scenarios of highly available Tempesta FW installations.

Clouds
Tempesta FW can be deployed in clouds as well as on bare metal. You can learn more about cloud installation in our Wiki.

Installation
You can install Tempesta FW from sources or prebuilt packages. System requirements can be found on our Wiki.

Support

Tempesta FW online documentation is available in the knowledge base.

We can help you to install and configure Tempesta FW as well as to tune your operating system to ensure maximum performance. Our experts have years of experience in high-performance network traffic processing and databases, including both the development and management sides. We’d be happy to help you build a high-performance, scalable, and highly available system using Tempesta FW.

Please contact us for any inquiries.

We thank NetActuate, our technical partner, for development, testing and deployment of Tempesta FW in an anycasted environment.