Tempesta Technologies
  • Home
  • Tempesta FW
    • Features
      • Web acceleration
      • Load balancing
      • Application performance monitoring
    • Performance
    • How it works
    • Deployment
    • Support
    • Knowledge base
  • Services
    • Software development
      • High performance
      • Networking
      • Databases
      • Linux kernel
      • Machine learning
      • How we work
      • Case studies
    • Performance analysis
    • Network security
      • DDoS protection
      • Application security
      • Cryptography
      • Security assessment
      • How we work
      • Case Studies
  • Solutions
    • DDoS Protection
    • Web Acceleration
  • Blog
  • Company
    • Research
    • Careers
    • Contact
Tempesta Technologies

Webshield Observability

The Webshield is deeply integrated with ClickHouse. Each block incident is also registered in a special table in the database: blocked_users.

The table schema is as follows:

CREATE TABLE blocked_users (
    address IPv6,
    tft UInt64,
    tfh UInt64,
    reason UInt64,
    timestamp DateTime(3, 'UTC'),
    PRIMARY KEY (timestamp)
)

One important thing to understand: the client can configure different detectors, for example tft_rps and tfh_time. These types of detectors aggregate access logs by TFt or TFh respectively, and as a result, the address field should be empty because many IP addresses might fall under the same TFt or TFh. Similarly, if bad traffic is detected using IP_RPS, the tft and tfh fields should be empty. In other words, this table actually records the characteristic of the user (or group of users) that caused the block.

Field meanings:

Field Name Description
address The IP address of the blocked user
tft The TFt hash of the blocked user
tfh The TFh hash of the blocked user
reason The reason why the block was performed
timestamp The time when the block was made

Block reason codes:

Reason Description
0 Exceeded RPS threshold
1 Exceeded HTTP errors threshold
2 Exceeded accumulative response time threshold
3 Exceeded unusual city GeoIP requests threshold

Share this article
  • Home
  • Requirements
  • Installation
    • Install from packages
    • Install from Sources
  • Configuration
    • Migration from Nginx
    • On the fly Reconfiguration
    • Handling clients
    • Backend servers
    • Scheduling and Load Balancing
    • Caching Responses
    • Non Idempotent Requests
    • Modify HTTP Messages
    • Virtual hosts and locations
    • Sticky Cookie
    • HTTP tables
    • HTTP security
    • Header Via
    • Health monitor
    • Tempesta TLS
    • Vhost Confusion
    • Traffic Filtering by Fingerprints
    • Access Log Analytics
  • Run and stop
  • Application Performance Monitoring
    • Performance statistics
    • Servers statistics
  • Use cases
    • Clouds
    • High availability
    • DDoS mitigation
    • Web security
    • WAF acceleration
    • Best practices
    • WordPress tips and tricks
  • Performance
    • Hardware virtualization performance
    • HTTP cache performance
    • HTTP transactions performance
    • HTTPS performance
    • HTTP2 streams prioritization
  • Bot Protection
    • Tempesta Webshield
    • Setup and Run The Webshield
    • Webshield Configuration
    • Webshield Detectors
    • Webshield Observability
    • Webshield Use Cases
  • Contributing
    • Report issues and send patches
    • Development guidelines
    • Memory safety guideline
    • Debugging and troubleshooting
    • Prepare a new release
    • Testing
    • QTCreator project

Powered by Tempesta FW

Stay up to date with our latest developments

Useful Links

Home
Blog

Tempesta® FW

Features
Performance
Deployment
Support
Knowledge Base

Services

Software Development
Performance analysis
Network Security

Solutions

DDoS Protection

Web Acceleration

Company

Research
Careers
Contact