How Qrator works

DDoS Attack

A DDoS (Distributed Denial of Service) attack is a type of network attack intended to disable the website's operation by sending towards it a constant stream of requests from tens and hundreds of thousands infected computers all over the world. Regardless of what power reserves the network infrastructure supporting the web application has, it is not designed to withstand the load exceeding the normal one several times over and will most likely go down. As a rule, this leads to unfortunate consequences such as financial losses, losing reputation of a reliable partner or service provider, customer attrition or even closure of the business. Today a DDoS attack may cost as low as $50 a day which makes it a very popular option for Internet malefactors.

DDoS Classification

The main criteria for classification is determining which parts of the network are targeted by the attack. We classify DDoS attacks by the following layers:

  • Channel capacity
  • Network infrastructure
  • Protocol stack
  • Web application

The most difficult attacks to mitigate target the web application layer, demonstrating "smart" behaviour. We pay special attention to this kind of attacks and consider their mitigation one of the key points of our competence.

Important for everyone

It is a mistake to think that DDoS attacks target only Internet giants, large companies and organizations. The intent of the attacker is often unpredictable: their interests may span not only onto commercial spheres, but also political, charity, mass media and many others. Different events in politics and economics may shift the vector of DDoS attacks towards either of the spheres, but nevertheless, as the statistics shows, if the website simply gains profit or expresses an opinion objectional to someone, it is at risk.

Protection on your own

Website owner may try to get protected from DDoS by his own means, installing protection software on the server, but in most of  the cases this won't yield any positive results. The lack of success in protecting one's own infrastructure from DDoS is caused by the fact that the traffic may simply not be able to react the filtering devices and software - the attack can paralyze the network channels of both the victims and their service providers long before encountering any means of protection.

Protection by the hoster

Who may be the first to be called for help by DDoS victims? Usually the first thing that website owners do is ask their hosting providers for protection from the attacks. In case the hosting provider's network infrastructure includes specialized systems for DDoS mitigation, the protection from attacks on specific network layers can be effective. However in case a large-scale attack occurs, the hosting provider's may not handle it as hoster's networks are not designed to withstand extreme stress and usually aren't ready for a sudden impact of malicious traffic. The website owner in such case may receive a message similar to the following one: "A DDoS attack was detected on the XXXX.com domain which is on your account. The domain was suspended because of the attack causing emergency situation on the server where it was hosted, and it wouldn't possible to stabilize the server operation unless your application was stopped". This message was actually received by one of our then-future customers.

Protection by Qrator

The Qrator network is designed and built to operate under constant pressure of a large number of DDoS attacks. The nodes of the network are connected to the channels of the largest mainline Internet service providers of United States, Russia, Eastern and Western Europe. This means that, unlike hosting providers’ networks (especially ones that provide virtual hosting), our network is able to handle extreme loads and the attack on one of our customer’s domains won’t affect the performance of other domains in any way.

 

The connection process goes as follows:

The customer changes the DNS record so that incoming traffic is instead sent to the Qrator filtering nodes. These nodes announce their addresses using the BGP Anycast technology. In case some of the customer’s subnetworks need to be protected, too, their corresponding prefixes can also be added to BGP Anycast.

 

After connection, regardless of whether the attack is in progress or not, all incoming traffic for our customers enters the Qrator network and undergoes the analysis.  The legitimate traffic is then redirected to the protected website. This scheme of operation allows the filtering nodes to sort out which traffic profile can be considered normal for each website and react immediately in case of any deviations.

Every Qrator filtering node operates independently, so in case one of them stops working, the traffic won’t be lost and will be redirected to the neighboring filtering node.

Qrator node operation

Specifications

The Qrator network specifications are represented by the following basic features:

  • ~1000Gbps passive bandwidth – determined IP packet processing without establishing TCP connection
  • >300Gbps active bandwidth – every incoming TCP connection is processed and analyzed
  • <5% false-positive incidents during DDoS attack mitigation
  • Time needed by the network to learn, counted from the moment of connection
    • <4 minutes in 33% cases
    • 5 minutes to 1 hour in 60% cases
  • Added latency when traffic proxying is used – 0 to 100ms. In case HTTP traffic comes through the proxy, due to using persistent HTTP connections with your protected service there is a possibility of increase in its performance.
Read next: Why Qrator
Also in video:

DDoS concerns everyone

How Qrator mitigates DDoS

Why Qrator suits your needs

Events: