How Qrator Labs works

DDoS Attacks

A DDoS (Distributed Denial of Service) attack is a type of network attack intended to disable the website's operation by sending towards it a constant stream of requests from tens and hundreds of thousands infected computers all over the world. Regardless of what power reserves the network infrastructure supporting the web application has, it is not designed to withstand the load exceeding the normal one several times over and will most likely go down. As a rule, this leads to unfortunate consequences such as financial losses, losing reputation of a reliable partner or service provider, customer attrition or even closure of the business. Today a DDoS attack may cost as low as $50 a day which makes it a very popular option for Internet malefactors.

DDoS Classification

The main criteria for classification is determining which parts of the network are targeted by the attack. We classify DDoS attacks by the following layers:

  • Channel capacity
  • Network infrastructure
  • Protocol stack
  • Web application

The most difficult attacks to mitigate target the web application layer, demonstrating "smart" behaviour. We pay special attention to this kind of attacks and consider their mitigation one of the key points of our competence.

Important for everyone

It is a mistake to think that DDoS attacks target only Internet giants, large companies and organizations. The intent of the attacker is often unpredictable: their interests may span not only onto commercial spheres, but also political, charity, mass media and many others. Different events in politics and economics may shift the vector of DDoS attacks towards either of the spheres, but nevertheless, as the statistics shows, if the website simply gains profit or expresses an opinion objectional to someone, it is at risk.

Protection on your own

Website owner may try to get protected from a DDoS attack by his own means, installing protection software on the server, but in most of  the cases this won't yield any positive results. The lack of success in protecting one's own infrastructure from a DDoS attack is caused by the fact that the traffic may simply not be able to react the filtering devices and software - the attack can paralyze the network channels of both the victims and their service providers long before encountering any means of protection.

Protection by the hoster

Who may be the first to be called for help by DDoS victims? Usually the first thing that website owners do is ask their hosting providers for protection from the attacks. In case the hosting provider's network infrastructure includes specialized systems for DDoS attacks mitigation, the protection from attacks on specific network layers can be effective. However in case a large-scale attack occurs, the hosting provider's may not handle it as hoster's networks are not designed to withstand extreme stress and usually aren't ready for a sudden impact of malicious traffic. The website owner in such case may receive a message similar to the following one: "A DDoS attack was detected on the domain which is on your account. The domain was suspended because of the attack causing emergency situation on the server where it was hosted, and it wouldn't possible to stabilize the server operation unless your application was stopped". This message was actually received by one of our then-future customers.

Protection by Qrator Labs

The Qrator Labs network is designed and built to operate under constant pressure of a large number of DDoS attacks. The nodes of the network are connected to the channels of the largest mainline Internet service providers of United States, Russia, Eastern and Western Europe, Southeast Asia. This means that, unlike hosting providers’ networks (especially ones that provide virtual hosting), our network is able to handle extreme loads and the attack on one of our customer’s domains won’t affect the performance of other domains in any way.


The connection process goes as follows:

The customer changes the DNS record so that incoming traffic is instead sent to the Qrator Labs  filtering nodes. These nodes announce their addresses using the BGP Anycast technology. In case some of the customer’s subnetworks need to be protected, too, their corresponding prefixes can also be added to BGP Anycast.


After connection, regardless of whether the attack is in progress or not, all incoming traffic for our customers enters the Qrator Labs  network and undergoes the analysis.  The legitimate traffic is then redirected to the protected website. This scheme of operation allows the filtering nodes to sort out which traffic profile can be considered normal for each website and react immediately in case of any deviations.

Every Qrator Labs  filtering node operates independently, so in case one of them stops working, the traffic won’t be lost and will be redirected to the neighboring filtering node.

Qrator Labs node operation


The following basic features represent the Qrator Labs network specifications:

  • ~3000Gbps of bandwidth dedicated to DDoS attacks mitigation;
  • <5% false-positive incidents during DDoS attack mitigation;
  • The time needed for the network to learn on a newly connected customer - less than 2 hours;
  • Time to mitigate DDoS attack - from 30 seconds to 3 minutes;
  • Added latency when proxying traffic – 0 to 100ms. In case HTTP traffic comes through the proxy, due to the use of persistent HTTP connections with your protected service there is a possibility of improving latency;
  • No limitation of the number of services or data centres under protection.