Tempesta FW, a handfull firewall against DDoS attacks

Open source tools for protection against DDoS (IPS), such as, Snort, are based on DPI, that is, they analyze the entire protocol stack. However, they cannot control the opening and closing of TCP connections, since they are too high in the network stack of Linux and represent neither server nor client side. This allows to bypass IPS data. Proxy servers are also involved in establishing the connection, but they cannot protect against major DDoS attacks, because they are relatively slow, as they work based on the same principle as the server. For them, it is desirable to use the equipment which, despite being not as good as the one for the back end, can withstand heavy loads.

NatSys Lab decided to follow the path of kHTTPd and TUX and implement a framework for working with HTTP in a kernel mode. So far, this framework is in alpha stage. However, a release is promised for mid 2015. Still, to understand the principles of work and play a bit with this tool, we can examine the prototype, which is quite operational.

Installation and Configuration

To assemble Tempesta, you need the source code for kernel 3.10.10 with the necessary tools. Download the source code of the project:

Getting Tempesta

Getting Tempesta

Copy the patch and apply it:

Enable the desired features. Thus, you should enable ‘CONFIG_SECURITY’ and ‘CONFIG_SECURITY_NETWORK’, disable all other LSM capabilities such as SELinux and AppArmor, and set the value of 2048 for ‘Warn for stack frames larger than’ in the submenu ‘kernel hacking’. Then assemble/install the kernel:

Setting the stack frame size in the kernel

Setting the stack frame size in the kernel

After rebooting, you can proceed with building Tempesta. To do this, go to the directory where we cloned it and enter the following command:

Assembling Tempesta

Assembling Tempesta


The argument ‘NORMALIZATION = 1’ specified for the command ‘make’ when assembling the modules of Tempesta allows to normalize HTTP traffic.

After the assembly, you can, of course, run the tool, but first let’s examine the configuration file. You can find an example of it in etc/tempesta_fw.conf. Let’ examine what is inside:

In addition to this configuration file, the same directory has a file ‘tfw_sched_http.conf’, which actually contains HTTP routing rules and whose content should, in theory, be included in previous file, but apparently it was left as a separate file so that the developers can later add the option to process it in the manager module. Let’s have a look at its syntax:

As I already mentioned, these two files cannot operate separately, they must be combined into one, which you can do by using the command

Finally, run:

To stop it, use similar command with argument ‘stop’.


A module is a WAF for Apache and provides the following features:

  • Real time monitoring and access control;
  • Virtual patching, a technology for eliminating the vulnerabilities without modifying the vulnerable application. It supports flexible language for making rules;
  • Logging all HTTP traffic;
  • Evaluating the security of web application
    and much more.

ModSecirity can be configured both as a reverse proxy and a plug-in for Apache.


We also should examine the internal architecture of the project.

General Information

Before examining this framework, let’s remember how is operating the similar software. Virtually all modern HTTP servers use Berkeley sockets which, despite their utility, have two major problems. The first is the excessive number of various features. For example, to limit the number of connected clients, you need, first, to allow the incoming connection by using accept(), then find out the address of the client by using ‘getpeername()’, check whether the address is in the table and close the connection. This takes more than six context switches. The second problem is that the read operation from the socket is asynchronous to the actual receipt of TCP packets, which further increases the number of context switches.

Please subscribe to read full article

1 year

for only $300

With subscription you are free to read all of the materials of Hackmag.com.
Read more about the project

Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.