Hi
user
Admin Login:
Username:
Password:
Name:
The Linux network stack extension for DDoS mitigation and web security
--client
lca
--show
lca2020
--room arena 15161 --force
Next: 1 Planning for and handling failures from open hardware, aviation, to production at Google
show more...
Marks
Author(s):
Alexander Krizhanovsky
Location
Arena
Date
jan Wed 15
Days Raw Files
Start
13:30
First Raw Start
error-in-template
Duration
0:45:0
Offset
None
End
14:15
Last Raw End
Chapters
Total cuts_time
None min.
https://lca2020.linux.org.au/schedule/presentation/22/
raw-playlist
raw-mp4-playlist
encoded-files-playlist
mp4
svg
png
assets
release.pdf
The_Linux_network_stack_extension_for_DDoS_mitigation_and_web_security.json
logs
Admin:
episode
episode list
cut list
raw files day
marks day
marks day
image_files
State:
---------
borked
edit
encode
push to queue
post
richard
review 1
email
review 2
make public
tweet
to-miror
conf
done
Locked:
clear this to unlock
Locked by:
user/process that locked.
Start:
initially scheduled time from master, adjusted to match reality
Duration:
length in hh:mm:ss
Name:
Video Title (shows in video search results)
Emails:
email(s) of the presenter(s)
Released:
has someone authorised pubication
Unknown
Yes
No
Normalise:
Channelcopy:
m=mono, 01=copy left to right, 10=right to left, 00=ignore.
Thumbnail:
filename.png
Description:
markdown
Back in 2013 we started development of a Web Application Firewall (WAF) on top of one of the widespread HTTP accelerators. That time we realized that modern HTTP accelerators were designed to service normal HTTP requests and don't suite well for filtering massive HTTP traffic from malicious clients such as DDoS bots. A WAF protecting huge web resources or thousands of small web sites also experiences overloading due to deep analyzing of HTTP and web content. So we started to develop our own hybrid of HTTP accelerator and a firewall, Tempesta FW, to address the problem of servicing and filtering massive HTTPS traffic. It can be used as standalone web acceleration and protection system as well as a WAF accelerator performing pre-filtering for more advanced WAF. Tempesta FW is an open source Linux kernel module integrated into the Linux TCP/IP stack and implementing rich set of HTTP security features. Tempesta FW implements HTTPtables, HTTP requests filtering tool which can be used together with nftables to define filtering rules on all network layers on the same time. Strict and flexible HTTP fields verification, HTTP cookies and JavaScript challenges, as well as various rate limits, are also implemented to efficiently block HTTP(S) DDoS and Web attacks. This talk describes common issues with filtering malicious HTTPS traffic on modern HTTP accelerators, how Tempesta FW solves them, and several low-level topics such as SIMD HTTP strings processing algorithms, but mostly I'll concentrate on TempestaTLS - a fork of mbedTLS to implement TLS handshakes in the Linux kernel. TempestaTLS cooperates with the TCP/IP stack to send records of optimal size and avoid copying. The handshakes state machine is carefully optimized to provide highest performance. I'll show performance benchmarks comparing TempestaTLS with OpenSSL in workloads close to real life DDoS attack against TLS handshakes.
Comment:
production notes
Rf filename:
root is .../show/dv/location/, example: 2013-03-13/13:13:30.dv
Sequence:
get this:
check and save to add this
Veyepar
Video Eyeball Processor and Review