Positive Hack Days, profile picture
Uploaded byPositive Hack Days
583 views

Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак

The document discusses HTTP DDoS mitigation strategies utilizing a kernel HTTPS/TCP/IP stack by Tempesta Technologies. It emphasizes the need for fast HTTP processing, advanced filtering, and tight integration between web accelerators and firewalls to effectively handle various DDoS attack vectors. Furthermore, it highlights challenges with traditional web accelerators and proposes kernel-level enhancements to improve performance and mitigate DDoS threats more efficiently.

Embed presentation

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies, Inc. ak@tempesta-tech.com
Who am I? CEO & CTO at Tempesta Technologies Developing Tempesta FW – open source Linux Application Delivery Controller (ADC) Custom software development in: ● high performance network traffic processing ● Databases e.g. MariaDB SQL System Versioning https://github.com/tempesta-tech/mariadb https://m17.mariadb.com/session/technical-preview-temporal-queryi ng-asof
HTTPS challenges HTTP(S) is a core protocol for the Internet (IoT, SaaS, Social networks etc.) HTTP(S) DDoS is tricky ● Asymmetric DDoS (compression, TLS handshake etc.) ● A lot of IP addresses with low traffic ● Machine learning is used for clustering ● How to filter out all HTTP requests with “Host: www.example.com:80”? ● "Lessons From Defending The Indefensible": https://www.youtube.com/watch?v=pCVTEx1ouyk
TCP stream filter IPtables strings, BPF, XDP, NIC filters ● HTTP headers can cross packet bounds ● Scan large URI or Cookie for Host value? Web accelerator ● aren’t designed (suitable) for HTTP filtering
IPS vs HTTP DDoS e.g. Suricata, has powerful rules syntax at L3-L7 Not a TCP end point => evasions are possible SSL/TLS SSL terminator is required => many data copies & context switches or double SSL processing (at IDS & at Web server) Double HTTP parsing Doesn’t improve Web server peroformance (mitigation != prevention)
Interbreed an HTTP accelerator and a firewall TCP & TLS end point Very fast HTTP parser to process HTTP floods Network I/O optimized for massive ingress traffic Advanced filtering abilities at all network layers Very fast Web cache to mitigate DDoS which we can’t filter out ● ML takes some time for bots clusterization ● False negatives are unavoidable
Application Delivery Controller (ADC)
Application layer DDoS Service from Cache Rate limit Nginx 22us 23us (Additional logic in limiting module) Fail2Ban: write to the log, parse the log, write to the log, parse the log…
Application layer DDoS Service from Cache Rate limit Nginx 22us 23us (Additional logic in limiting module) Fail2Ban: write to the log, parse the log, write to the log, parse the log… - really in 21th century?! tight integration of Web accelerator and a firewall is needed
Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering etc.
Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc.
Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K
Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of 'GET / HTTP/1.0nn'? CASES!
Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of 'GET / HTTP/1.0nn'? CASES! Kernel-mode Web-accelerators: TUX, kHTTPd ● basically the same sockets and threads ● zero-copy → sendfile(), lazy TLB
Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of 'GET / HTTP/1.0nn'? CASES! Kernel-mode Web-accelerators: TUX, kHTTPd ● basically the same sockets and threads ● zero-copy → sendfile(), lazy TLB => not needed
Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of 'GET / HTTP/1.0nn'? CASES! Kernel-mode Web-accelerators: TUX, kHTTPd NEED AGAIN ● basically the same sockets and threads TO MITIGATE ● zero-copy → sendfile(), lazy TLB => not needed HTTPS DDOS
Web-accelerators are slow: SSL/TLS copying User-kernel space copying ● Copy network data to user space ● Encrypt/decrypt it ● Copy the date to kernel for transmission Kernel-mode TLS ● Facebook,RedHat: https://lwn.net/Articles/666509/ ● Netflix: https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf ● TLS handshake is still an issue ● TLS 1.3 is good, but DDoS bots can be legacy clients
Web-accelerators are slow: profile % symbol name 1.5719 ngx_http_parse_header_line 1.0303 ngx_vslprintf 0.6401 memcpy 0.5807 recv 0.5156 ngx_linux_sendfile_chain 0.4990 ngx_http_limit_req_handler => flat profile
Web-accelerators are slow: syscalls epoll_wait(.., {{EPOLLIN, ....}},...) recvfrom(3, "GET / HTTP/1.1rnHost:...", ...) write(1, “...limiting requests, excess...", ...) writev(3, "HTTP/1.1 503 Service...", ...) sendfile(3,..., 383) recvfrom(3, ...) = -1 EAGAIN epoll_wait(.., {{EPOLLIN, ....}}, ...) recvfrom(3, "", 1024, 0, NULL, NULL) = 0 close(3)
Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { <= check state case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... }
Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 <= set state } case 2: ... } ... }
Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... <= jump to while }
Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { <= check state case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... }
Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... <= do something } ... }
Web-accelerators are slow: HTTP parser
Web-accelerators are slow: strings We have AVX2, but GLIBC doesn’t still use it HTTP strings are special: ● No ‘0’-termination (if you’re zero-copy) ● Special delimiters (‘:’ or CRLF) ● strcasecmp(): no need case conversion for one string ● strspn(): limited number of accepted alphabets switch()-driven FSM is even worse
Fast HTTP parser http://natsys-lab.blogspot.ru/2014/11/the-fast-finite-state-machine-for- http.html ● 1.6-1.8 times faster than Nginx’s HTTP optimized AVX2 strings processing: http://natsys-lab.blogspot.ru/2016/10/http-strings-processing-using-c- sse42.html ● ~1KB strings: ● strncasecmp() ~x3 faster than GLIBC’s ● URI matching ~x6 faster than GLIBC’s strspn() ● kernel_fpu_begin()/kernel_fpu_end() for whole softirq shot
HTTP strong validation TODO: https://github.com/tempesta-tech/tempesta/issues/628 Injections: specify allowed URI characters for a Web app Resistant to large HTTP fields
Web-accelerators are slow: async I/O
Web-accelerators are slow: async I/O
Web-accelerators are slow: async I/O
Web-accelerators are slow: async I/O Web cache also resides In CPU caches and evicts requests
HTTPS/TCP/IP stack Alternative to user space TCP/IP stacks HTTPS is built into TCP/IP stack Kernel TLS (fork from mbedTLS) – no copying (1 human month to port TLS to kernel!) HTTP firewall plus to IPtables and Socket filter Very fast HTTP parser and strings processing using AVX2 Cache-conscious in-memory Web-cache for DDoS mitigation TODO HTTP QoS for asymmetric DDoS mitigation DSL for multi-layer filter rules
Tempesta FW
TODO: HTTP QoS for asymmetric DDoS mitigation https://github.com/tempesta-tech/tempesta/issues/488 “Web2K: Bringing QoS to Web Servers” by Preeti Bhoj et al. Local stress: packet drops, queues overrun, response latency etc (kernel: cheap statistics for asymmetric DDoS) Upsream stress: req_num / resp_num, response time etc. Static QoS rules per vhost: HTTP RPS, integration w/ Qdisc - TBD Actions: reduce TCP window, don’t accept new connections, close existing connections
Synchronous sockets: HTTPS/TCP/IP stack Socket callbacks call TLS and HTTP processing Everything is processing in softirq (while the data is hot) No receive & accept queues No file descriptors Less locking
Synchronous sockets: HTTPS/TCP/IP stack Socket callbacks call TLS and HTTP processing Everything is processing in softirq (while the data is hot) No receive & accept queues No file descriptors Less locking Lock-free inter-CPU transport => faster socket reading => lower latency
skb page allocator: zero-copy HTTP messages adjustment Add/remove/update HTTP headers w/o copies skb and its head are allocated in the same page fragment or a compound page
skb page allocator: zero-copy HTTP messages adjustment Add/remove/update HTTP headers w/o copies skb and its head are allocated in the same page fragment or a compound page
Sticky cookie User/session identification ● Cookie challenge for dummy DDoS bots ● Persistent/sessions scheduling (no rescheduling on a server failure) Enforce: HTTP 302 redirect sticky name=__tfw_user_id__ enforce;
Sticky cookie User/session identification ● Cookie challenge for dummy DDoS bots ● Persistent/sessions scheduling (no rescheduling on a server failure) Enforce: HTTP 302 redirect sticky name=__tfw_user_id__ enforce; TODO: JavaScript challenge https://github.com/tempesta-tech/tempesta/issues/536
TODO: Tempesta language https://github.com/tempesta-tech/tempesta/issues/102 if ((req.user_agent =~ /firefox/i || req.cookie !~ /^our_tracking_cookie/) && (req.x_forwarded_for != "1.1.1.1" || client.addr == 1.1.1.1)) # Block the client at IP layer, so it will be filtered # efficiently w/o further HTTP processing. tdb.insert("ip_filter", client.addr, evict=10000);
Frang: HTTP DoS Rate limits ● request_rate, request_burst ● connection_rate, connection_burst ● concurrent_connections Slow HTTP ● client_header_timeout, client_body_timeout ● http_header_cnt ● http_header_chunk_cnt, http_body_chunk_cnt
Frang: WAF Length limits: http_uri_len, http_field_len, http_body_len Content validation: http_host_required, http_ct_required, http_ct_vals, http_methods HTTP Response Splitting: count and match requests and responses Injections: carefully verify allowed character sets ...and many upcoming filters: https://github.com/tempesta-tech/tempesta/labels/security Not a featureful WAF
WAF accelerator Just like Web accelerator Advanced load balancing: ● Server groups by any HTTP field ● Rendezvous hashing ● Ratio ● Adaptive & predictive Some DDoS attacks can be just normally serviced
Performance https://github.com/tempesta-tech/tempesta/wiki/HTTP-cache-performance
Performance analysis: software & hardware “NGINX Plus vs. F5 BIG‑IP: A Price‑Performance Comparison” https://www.nginx.com/blog/ nginx-plus-vs-f5-big-ip-a-price- performance-comparison/ Nginx: ~600K HTTP RPS w/o access log Difference must be larger for HTTP DDoS blocking (DDoS emulation is an issue)
Performance analysis: kernel bypass Similar to DPDK/user-space TCP/IP stacks http://www.seastar-project.org/ http-performance/ ...bypassing Linux TCP/IP isn’t the only way to get a fast Web server ...lives in Linux infrastructure: LVS, tc, IPtables, eBPF, tcpdump etc.
Keep the kernel small Just 30K LoC (compare w/ 120K LoC of BtrFS) Only generic and crucial HTTPS logic is in kernel Supplementary logic is considered for user space ● HTTP compression & decompression https://github.com/tempesta-tech/tempesta/issues/636 ● Advanced DDoS mitigation & WAF (e.g. full POST processing) ● ...other HTTP users (Web frameworks?) Zero-copy kernel-user space transport for minimizing kernel code
TODO: Zero-copy kernel-user space transport HTTPS DDoS mitigation & WAF ● Machine learning clusterization in user space ● Automatic L3-L7 filtering rules generation
Thanks! Web-site: http://tempesta-tech.com (Powered by Tempesta FW) No failures for the year Availability: https://github.com/tempesta-tech/tempesta Blog: http://natsys-lab.blogspot.com E-mail: ak@tempesta-tech.com

More Related Content

PDF
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
byOntico
 
PDF
Content Caching with NGINX and NGINX Plus
byKevin Jones
 
PDF
How To Set Up SQL Load Balancing with HAProxy - Slides
bySeveralnines
 
PDF
Debugging Distributed Systems - Velocity Santa Clara 2016
byDonny Nadolny
 
PPTX
Usenix LISA 2012 - Choosing a Proxy
byLeif Hedstrom
 
PDF
Introduction to Redis
byDvir Volk
 
PDF
Acus08 Advanced Load Balancing Apache2.2
byJim Jagielski
 
PDF
How happy they became with H2O/mruby and the future of HTTP
byIchito Nagata
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
byOntico
 
Content Caching with NGINX and NGINX Plus
byKevin Jones
 
How To Set Up SQL Load Balancing with HAProxy - Slides
bySeveralnines
 
Debugging Distributed Systems - Velocity Santa Clara 2016
byDonny Nadolny
 
Usenix LISA 2012 - Choosing a Proxy
byLeif Hedstrom
 
Introduction to Redis
byDvir Volk
 
Acus08 Advanced Load Balancing Apache2.2
byJim Jagielski
 
How happy they became with H2O/mruby and the future of HTTP
byIchito Nagata
 

What's hot

PDF
Stuart Larsen, attacking http2implementations-rev1
byPacSecJP
 
PDF
Attacking http2 implementations (1)
byJohn Villamil
 
PDF
Apache httpd reverse proxy and Tomcat
byJean-Frederic Clere
 
PPTX
Multi tier-app-network-topology-neutron-final
bySadique Puthen
 
PDF
Defeating The Network Security Infrastructure V1.0
byPhilippe Bogaerts
 
PDF
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
bySadique Puthen
 
PDF
MySQL High Availability Sprint: Launch the Pacemaker
byhastexo
 
PDF
Clug 2012 March web server optimisation
bygrooverdan
 
PDF
Abusing Microsoft Kerberos - Sorry you guys don’t get it
byE Hacking
 
PPTX
Troubleshooting containerized triple o deployment
bySadique Puthen
 
PDF
Neutron Network Namespaces and IPtables--A Technical Deep Dive
byMirantis
 
PPTX
Introduction to Haproxy
byShaopeng He
 
PDF
H2O - the optimized HTTP server
byKazuho Oku
 
KEY
Introduction to memcached
byJurriaan Persyn
 
PDF
Web acceleration mechanics
byAlexander Krizhanovsky
 
PDF
OpenTSDB: HBaseCon2017
byHBaseCon
 
PDF
Developing the fastest HTTP/2 server
byKazuho Oku
 
PDF
gRPC
byDharshana Ratnayake
 
PDF
Elephant Roads: a tour of Postgres forks
byCommand Prompt., Inc
 
PDF
Corosync and Pacemaker
byMarian Marinov
 
Stuart Larsen, attacking http2implementations-rev1
byPacSecJP
 
Attacking http2 implementations (1)
byJohn Villamil
 
Apache httpd reverse proxy and Tomcat
byJean-Frederic Clere
 
Multi tier-app-network-topology-neutron-final
bySadique Puthen
 
Defeating The Network Security Infrastructure V1.0
byPhilippe Bogaerts
 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
bySadique Puthen
 
MySQL High Availability Sprint: Launch the Pacemaker
byhastexo
 
Clug 2012 March web server optimisation
bygrooverdan
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
byE Hacking
 
Troubleshooting containerized triple o deployment
bySadique Puthen
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
byMirantis
 
Introduction to Haproxy
byShaopeng He
 
H2O - the optimized HTTP server
byKazuho Oku
 
Introduction to memcached
byJurriaan Persyn
 
Web acceleration mechanics
byAlexander Krizhanovsky
 
OpenTSDB: HBaseCon2017
byHBaseCon
 
Developing the fastest HTTP/2 server
byKazuho Oku
 
gRPC
byDharshana Ratnayake
 
Elephant Roads: a tour of Postgres forks
byCommand Prompt., Inc
 
Corosync and Pacemaker
byMarian Marinov
 

Similar to Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак

PDF
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
byAll Things Open
 
PDF
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
byOntico
 
ODP
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
byOntico
 
PDF
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
byAPNIC
 
PDF
Fast HTTP string processing algorithms
byAlexander Krizhanovsky
 
PPTX
Http - All you need to know
byGökhan Şengün
 
PDF
A New Internet? Introduction to HTTP/2, QUIC and DOH
byAPNIC
 
PPTX
F5 EMEA Webinar Oct'15: http2 how to ease the transition
byDmitry Tikhovich
 
PDF
Http:2.0 101 introduction (workshop) - Bastian Hofmann
byUNICORNS IN TECH
 
ODP
Apache httpd 2.4: The Cloud Killer App
byJim Jagielski
 
PDF
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
byAlexander Krizhanovsky
 
PDF
HTTP2 is Here!
byAndy Davies
 
PDF
Woo: Writing a fast web server @ ELS2015
byfukamachi
 
PDF
Http Status Report
byConSanFrancisco123
 
PDF
HTTP/2: What's new?
byPiet van Dongen
 
PDF
HTTP/2 (2017)
byChristian Mäder
 
KEY
Shiny New HTTP Shit
byMark Nottingham
 
PPTX
Http/2
byAdrian Cardenas
 
PDF
What's New and Newer in Apache httpd-24
byJim Jagielski
 
PDF
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
byAlessandro Nadalin
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
byAll Things Open
 
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
byOntico
 
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
byOntico
 
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
byAPNIC
 
Fast HTTP string processing algorithms
byAlexander Krizhanovsky
 
Http - All you need to know
byGökhan Şengün
 
A New Internet? Introduction to HTTP/2, QUIC and DOH
byAPNIC
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
byDmitry Tikhovich
 
Http:2.0 101 introduction (workshop) - Bastian Hofmann
byUNICORNS IN TECH
 
Apache httpd 2.4: The Cloud Killer App
byJim Jagielski
 
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
byAlexander Krizhanovsky
 
HTTP2 is Here!
byAndy Davies
 
Woo: Writing a fast web server @ ELS2015
byfukamachi
 
Http Status Report
byConSanFrancisco123
 
HTTP/2: What's new?
byPiet van Dongen
 
HTTP/2 (2017)
byChristian Mäder
 
Shiny New HTTP Shit
byMark Nottingham
 
Http/2
byAdrian Cardenas
 
What's New and Newer in Apache httpd-24
byJim Jagielski
 
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
byAlessandro Nadalin
 

More from Positive Hack Days

PPTX
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
byPositive Hack Days
 
PPTX
Как мы собираем проекты в выделенном окружении в Windows Docker
byPositive Hack Days
 
PPTX
Типовая сборка и деплой продуктов в Positive Technologies
byPositive Hack Days
 
PPTX
Аналитика в проектах: TFS + Qlik
byPositive Hack Days
 
PPTX
Использование анализатора кода SonarQube
byPositive Hack Days
 
PPTX
Развитие сообщества Open DevOps Community
byPositive Hack Days
 
PPTX
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
byPositive Hack Days
 
PPTX
Автоматизация построения правил для Approof
byPositive Hack Days
 
PDF
Мастер-класс «Трущобы Application Security»
byPositive Hack Days
 
PDF
Формальные методы защиты приложений
byPositive Hack Days
 
PDF
Эвристические методы защиты приложений
byPositive Hack Days
 
PDF
Теоретические основы Application Security
byPositive Hack Days
 
PPTX
От экспериментального программирования к промышленному: путь длиной в 10 лет
byPositive Hack Days
 
PDF
Уязвимое Android-приложение: N проверенных способов наступить на грабли
byPositive Hack Days
 
PPTX
Требования по безопасности в архитектуре ПО
byPositive Hack Days
 
PDF
Формальная верификация кода на языке Си
byPositive Hack Days
 
PPTX
Механизмы предотвращения атак в ASP.NET Core
byPositive Hack Days
 
PDF
SOC для КИИ: израильский опыт
byPositive Hack Days
 
PDF
Honeywell Industrial Cyber Security Lab & Services Center
byPositive Hack Days
 
PDF
Credential stuffing и брутфорс-атаки
byPositive Hack Days
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
byPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
byPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
byPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
byPositive Hack Days
 
Использование анализатора кода SonarQube
byPositive Hack Days
 
Развитие сообщества Open DevOps Community
byPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
byPositive Hack Days
 
Автоматизация построения правил для Approof
byPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
byPositive Hack Days
 
Формальные методы защиты приложений
byPositive Hack Days
 
Эвристические методы защиты приложений
byPositive Hack Days
 
Теоретические основы Application Security
byPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
byPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
byPositive Hack Days
 
Требования по безопасности в архитектуре ПО
byPositive Hack Days
 
Формальная верификация кода на языке Си
byPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
byPositive Hack Days
 
SOC для КИИ: израильский опыт
byPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
byPositive Hack Days
 
Credential stuffing и брутфорс-атаки
byPositive Hack Days
 

Recently uploaded

PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
final.pdf
byomarbishtawi04
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Workflow and decision Automation with Flowable
bychakib ch
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 

Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак

  • 1.
    Kernel HTTPS/TCP/IP stack forHTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies, Inc. ak@tempesta-tech.com
  • 2.
    Who am I? CEO& CTO at Tempesta Technologies Developing Tempesta FW – open source Linux Application Delivery Controller (ADC) Custom software development in: ● high performance network traffic processing ● Databases e.g. MariaDB SQL System Versioning https://github.com/tempesta-tech/mariadb https://m17.mariadb.com/session/technical-preview-temporal-queryi ng-asof
  • 3.
    HTTPS challenges HTTP(S) isa core protocol for the Internet (IoT, SaaS, Social networks etc.) HTTP(S) DDoS is tricky ● Asymmetric DDoS (compression, TLS handshake etc.) ● A lot of IP addresses with low traffic ● Machine learning is used for clustering ● How to filter out all HTTP requests with “Host: www.example.com:80”? ● "Lessons From Defending The Indefensible": https://www.youtube.com/watch?v=pCVTEx1ouyk
  • 4.
    TCP stream filter IPtablesstrings, BPF, XDP, NIC filters ● HTTP headers can cross packet bounds ● Scan large URI or Cookie for Host value? Web accelerator ● aren’t designed (suitable) for HTTP filtering
  • 5.
    IPS vs HTTPDDoS e.g. Suricata, has powerful rules syntax at L3-L7 Not a TCP end point => evasions are possible SSL/TLS SSL terminator is required => many data copies & context switches or double SSL processing (at IDS & at Web server) Double HTTP parsing Doesn’t improve Web server peroformance (mitigation != prevention)
  • 6.
    Interbreed an HTTPaccelerator and a firewall TCP & TLS end point Very fast HTTP parser to process HTTP floods Network I/O optimized for massive ingress traffic Advanced filtering abilities at all network layers Very fast Web cache to mitigate DDoS which we can’t filter out ● ML takes some time for bots clusterization ● False negatives are unavoidable
  • 7.
  • 8.
    Application layer DDoS Servicefrom Cache Rate limit Nginx 22us 23us (Additional logic in limiting module) Fail2Ban: write to the log, parse the log, write to the log, parse the log…
  • 9.
    Application layer DDoS Servicefrom Cache Rate limit Nginx 22us 23us (Additional logic in limiting module) Fail2Ban: write to the log, parse the log, write to the log, parse the log… - really in 21th century?! tight integration of Web accelerator and a firewall is needed
  • 10.
    Web-accelerator capabilities Nginx, Varnish,Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering etc.
  • 11.
    Web-accelerator capabilities Nginx, Varnish,Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc.
  • 12.
    Web-accelerator capabilities Nginx, Varnish,Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K
  • 13.
    Web-accelerator capabilities Nginx, Varnish,Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of 'GET / HTTP/1.0nn'? CASES!
  • 14.
    Web-accelerator capabilities Nginx, Varnish,Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of 'GET / HTTP/1.0nn'? CASES! Kernel-mode Web-accelerators: TUX, kHTTPd ● basically the same sockets and threads ● zero-copy → sendfile(), lazy TLB
  • 15.
    Web-accelerator capabilities Nginx, Varnish,Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of 'GET / HTTP/1.0nn'? CASES! Kernel-mode Web-accelerators: TUX, kHTTPd ● basically the same sockets and threads ● zero-copy → sendfile(), lazy TLB => not needed
  • 16.
    Web-accelerator capabilities Nginx, Varnish,Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of 'GET / HTTP/1.0nn'? CASES! Kernel-mode Web-accelerators: TUX, kHTTPd NEED AGAIN ● basically the same sockets and threads TO MITIGATE ● zero-copy → sendfile(), lazy TLB => not needed HTTPS DDOS
  • 17.
    Web-accelerators are slow:SSL/TLS copying User-kernel space copying ● Copy network data to user space ● Encrypt/decrypt it ● Copy the date to kernel for transmission Kernel-mode TLS ● Facebook,RedHat: https://lwn.net/Articles/666509/ ● Netflix: https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf ● TLS handshake is still an issue ● TLS 1.3 is good, but DDoS bots can be legacy clients
  • 18.
    Web-accelerators are slow:profile % symbol name 1.5719 ngx_http_parse_header_line 1.0303 ngx_vslprintf 0.6401 memcpy 0.5807 recv 0.5156 ngx_linux_sendfile_chain 0.4990 ngx_http_limit_req_handler => flat profile
  • 19.
    Web-accelerators are slow:syscalls epoll_wait(.., {{EPOLLIN, ....}},...) recvfrom(3, "GET / HTTP/1.1rnHost:...", ...) write(1, “...limiting requests, excess...", ...) writev(3, "HTTP/1.1 503 Service...", ...) sendfile(3,..., 383) recvfrom(3, ...) = -1 EAGAIN epoll_wait(.., {{EPOLLIN, ....}}, ...) recvfrom(3, "", 1024, 0, NULL, NULL) = 0 close(3)
  • 20.
    Web-accelerators are slow:HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { <= check state case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... }
  • 21.
    Web-accelerators are slow:HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 <= set state } case 2: ... } ... }
  • 22.
    Web-accelerators are slow:HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... <= jump to while }
  • 23.
    Web-accelerators are slow:HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { <= check state case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... }
  • 24.
    Web-accelerators are slow:HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... <= do something } ... }
  • 25.
  • 26.
    Web-accelerators are slow:strings We have AVX2, but GLIBC doesn’t still use it HTTP strings are special: ● No ‘0’-termination (if you’re zero-copy) ● Special delimiters (‘:’ or CRLF) ● strcasecmp(): no need case conversion for one string ● strspn(): limited number of accepted alphabets switch()-driven FSM is even worse
  • 27.
    Fast HTTP parser http://natsys-lab.blogspot.ru/2014/11/the-fast-finite-state-machine-for- http.html ●1.6-1.8 times faster than Nginx’s HTTP optimized AVX2 strings processing: http://natsys-lab.blogspot.ru/2016/10/http-strings-processing-using-c- sse42.html ● ~1KB strings: ● strncasecmp() ~x3 faster than GLIBC’s ● URI matching ~x6 faster than GLIBC’s strspn() ● kernel_fpu_begin()/kernel_fpu_end() for whole softirq shot
  • 28.
    HTTP strong validation TODO:https://github.com/tempesta-tech/tempesta/issues/628 Injections: specify allowed URI characters for a Web app Resistant to large HTTP fields
  • 29.
  • 30.
  • 31.
  • 32.
    Web-accelerators are slow:async I/O Web cache also resides In CPU caches and evicts requests
  • 33.
    HTTPS/TCP/IP stack Alternative touser space TCP/IP stacks HTTPS is built into TCP/IP stack Kernel TLS (fork from mbedTLS) – no copying (1 human month to port TLS to kernel!) HTTP firewall plus to IPtables and Socket filter Very fast HTTP parser and strings processing using AVX2 Cache-conscious in-memory Web-cache for DDoS mitigation TODO HTTP QoS for asymmetric DDoS mitigation DSL for multi-layer filter rules
  • 34.
  • 35.
    TODO: HTTP QoS forasymmetric DDoS mitigation https://github.com/tempesta-tech/tempesta/issues/488 “Web2K: Bringing QoS to Web Servers” by Preeti Bhoj et al. Local stress: packet drops, queues overrun, response latency etc (kernel: cheap statistics for asymmetric DDoS) Upsream stress: req_num / resp_num, response time etc. Static QoS rules per vhost: HTTP RPS, integration w/ Qdisc - TBD Actions: reduce TCP window, don’t accept new connections, close existing connections
  • 36.
    Synchronous sockets: HTTPS/TCP/IPstack Socket callbacks call TLS and HTTP processing Everything is processing in softirq (while the data is hot) No receive & accept queues No file descriptors Less locking
  • 37.
    Synchronous sockets: HTTPS/TCP/IPstack Socket callbacks call TLS and HTTP processing Everything is processing in softirq (while the data is hot) No receive & accept queues No file descriptors Less locking Lock-free inter-CPU transport => faster socket reading => lower latency
  • 38.
    skb page allocator: zero-copyHTTP messages adjustment Add/remove/update HTTP headers w/o copies skb and its head are allocated in the same page fragment or a compound page
  • 39.
    skb page allocator: zero-copyHTTP messages adjustment Add/remove/update HTTP headers w/o copies skb and its head are allocated in the same page fragment or a compound page
  • 40.
    Sticky cookie User/session identification ●Cookie challenge for dummy DDoS bots ● Persistent/sessions scheduling (no rescheduling on a server failure) Enforce: HTTP 302 redirect sticky name=__tfw_user_id__ enforce;
  • 41.
    Sticky cookie User/session identification ●Cookie challenge for dummy DDoS bots ● Persistent/sessions scheduling (no rescheduling on a server failure) Enforce: HTTP 302 redirect sticky name=__tfw_user_id__ enforce; TODO: JavaScript challenge https://github.com/tempesta-tech/tempesta/issues/536
  • 42.
    TODO: Tempesta language https://github.com/tempesta-tech/tempesta/issues/102 if((req.user_agent =~ /firefox/i || req.cookie !~ /^our_tracking_cookie/) && (req.x_forwarded_for != "1.1.1.1" || client.addr == 1.1.1.1)) # Block the client at IP layer, so it will be filtered # efficiently w/o further HTTP processing. tdb.insert("ip_filter", client.addr, evict=10000);
  • 43.
    Frang: HTTP DoS Ratelimits ● request_rate, request_burst ● connection_rate, connection_burst ● concurrent_connections Slow HTTP ● client_header_timeout, client_body_timeout ● http_header_cnt ● http_header_chunk_cnt, http_body_chunk_cnt
  • 44.
    Frang: WAF Length limits:http_uri_len, http_field_len, http_body_len Content validation: http_host_required, http_ct_required, http_ct_vals, http_methods HTTP Response Splitting: count and match requests and responses Injections: carefully verify allowed character sets ...and many upcoming filters: https://github.com/tempesta-tech/tempesta/labels/security Not a featureful WAF
  • 45.
    WAF accelerator Just likeWeb accelerator Advanced load balancing: ● Server groups by any HTTP field ● Rendezvous hashing ● Ratio ● Adaptive & predictive Some DDoS attacks can be just normally serviced
  • 46.
  • 47.
    Performance analysis: software& hardware “NGINX Plus vs. F5 BIG‑IP: A Price‑Performance Comparison” https://www.nginx.com/blog/ nginx-plus-vs-f5-big-ip-a-price- performance-comparison/ Nginx: ~600K HTTP RPS w/o access log Difference must be larger for HTTP DDoS blocking (DDoS emulation is an issue)
  • 48.
    Performance analysis: kernelbypass Similar to DPDK/user-space TCP/IP stacks http://www.seastar-project.org/ http-performance/ ...bypassing Linux TCP/IP isn’t the only way to get a fast Web server ...lives in Linux infrastructure: LVS, tc, IPtables, eBPF, tcpdump etc.
  • 49.
    Keep the kernelsmall Just 30K LoC (compare w/ 120K LoC of BtrFS) Only generic and crucial HTTPS logic is in kernel Supplementary logic is considered for user space ● HTTP compression & decompression https://github.com/tempesta-tech/tempesta/issues/636 ● Advanced DDoS mitigation & WAF (e.g. full POST processing) ● ...other HTTP users (Web frameworks?) Zero-copy kernel-user space transport for minimizing kernel code
  • 50.
    TODO: Zero-copy kernel-user spacetransport HTTPS DDoS mitigation & WAF ● Machine learning clusterization in user space ● Automatic L3-L7 filtering rules generation
  • 51.
    Thanks! Web-site: http://tempesta-tech.com (Poweredby Tempesta FW) No failures for the year Availability: https://github.com/tempesta-tech/tempesta Blog: http://natsys-lab.blogspot.com E-mail: ak@tempesta-tech.com