Our website is protected by Qrator and we seem being attacked. How is it possible to check this?

You can check the status in your dashboard by choosing Domains -> Choose Domain -> Statistics. During the attack the difference between incoming and dropped packets becomes significant and easy to notice, and the blacklist is not empty.

Under DDoS

Our website has been attacked, we redirected the DNS A record on the Qrator IP but the DDoS traffic keeps on coming.

There may be three reasons for this situation:

  • not all DNS servers have refreshed their records yet, and not all the traffic is under protection at the moment. It takes some time;
  • you didn’t change the IP address of your server before connecting to Qrator, which means it can be known to the attacker who is able to perform the attack directly. You need to request a new IP address from your hosting provider;
  • you didn’t change the IP address of your server AND didn’t block the access to your server from all addresses besides our filtering nodes. You can do that either through your firewall software or with the help of your hosting provider. The list of Qrator IP addresses is available at https://client.qrator.net/infos/ips/.
Under DDoS

Our hosting provider has told us that the attackers know the real IP address of the web application and use it to bypass Qrator filtering. What should we do?

You need to:

  • Request a new IP address from your hosting provider, preferably from another subnet.
  • Allow only connections from Qrator filtering nodes, blocking all the others, in your firewall software.
  • Change the old customer IP address to a new one in your Qrator dashboard.
Under DDoS

Is it possible to identify the attacker?

We do not specialize in solving cybercrimes, and our filtering technologies do not include the means for identification of the malefactors who order and carry out the attacks.

Under DDoS

According to the dashboard the incoming traffic towards our website suddenly increased but the blacklist is empty.

It could be a network layer attack, which we are able to neutralize without using blacklists. For the details see the Traffic and Packets graphs, and you will notice the significant difference between total traffic for your website that enters the Qrator network and the traffic that is passed to your actual web application.

In addition, because of spoofing, during the attacks on the network layer and lower layers the information in the blacklist cannot help judge whether the attack is underway or not.

Under DDoS

We have changed the DNS A record of our website but the DNS does not refresh for a long time – the traffic does not go through Qrator. Can you help us?

We cannot help you in this situation. Decreasing TTL will not affect the situation as the old record is already in the cache of DNS servers with the old TTL value.

Under DDoS

Can you disable the filtering and enable it only when attack is detected?

Yes, it is the basic principle of the Qrator service operation.

Qrator system

Is it possible to protect HTTPS services?

Yes, it can be done in two variants: with disclosure of the client certificate and without it.

HTTPS protection is an optional service that needs to be enabled separately with additional billing.

Billing plans Qrator system

Can you protect the website that works with not an HTTP-based but with TCP-based protocol?

We can protect such website from the attacks up to sixth layer of ISO/ISO model inclusively. In order to protect your resource from application layer attacks (first of all caused by malefactors who have reverse engineered your web application) we need a brief description of the used protocol or data containing the typical traffic of the protocol in tcpdump format.

Qrator system

Do you provide an additional Robust DNS Slave service?

We provide DNS protection in a variant of external secondary DNS only as a supplementary feature to the service of analysis and filtering of HTTP/HTTPS traffic.

Billing plans Qrator system

Is it possible to use a domain name instead of an IP address? We have got Elastic Load Balancing configured in Amazon so the IP address might be changing.

As you connect to Qrator you can use it for adaptive traffic balancing. For this you need to list all IP addresses of the instances in Amazon, which are configured in ELB, in your personal dashboard in the corresponding section.

Advantages of our solution:

  • Balancing of the incoming and redirected traffic takes into account geographical disposition and network topology of your customers
  • Analysis and balancing of the incoming traffic are carried out considering performance of each application server in particular, not the whole system
  • Elimination of an additional level of isolation between the customer and your protected website, which means an increase of its performance.

Operation through Amazon ELB service is also supported by Qrator on a separate request.

Qrator system

We need to maintain a mail server on our domain. How can we limit the access to it to only whitelisted addresses? The priority address is XX.XX.XX.XX.

Qrator service provides protection only for HTTP and HTTPS protocols. We do not work with other types of protocols including mail services.

Qrator system

Our web application receives numerous requests from a small number of IP addresses. Can this be an attack?

Most probably these requests come from our filtering nodes. Commonly all client requests are received by the nodes, and after inspection and filtering they are sent further to the protected domain. You can compared the addresses that caught your attention with the ones of our filtering nodes at https://client.qrator.net/infos/ips.

Qrator system

What kind of checks does the Qrator network perform during traffic analysis: IP packet headers, sources, anything else?

There are a lot of factors that are taken into account during the analysis of the traffic on the oritected website. The main ones are the behavior of the source and the history of its requests. The details of low-layer interaction in TCP context of the website visitor’s actions are also used for the analysis.

Qrator system

If one of the protected website visitors is blacklisted, will it be permanent of just for a period?

The blocked IP address will be excluded from the blacklist no sooner than after 5 minutes and no later than 8 hours – depends on the type of attack it was presumed to take part in.

Qrator system

Is it possible to disable the protection for some time, or disable it for a specific part of the website?

No, the protection is enabled and disabled only by altering the DNS A record.

Qrator system

How do I change the domain A record?

In order to change the A record you can use the control panel of your hosting provider in case the provider manages your domain name, or alternatively you can use control panel of the Internet registry that registered your domain. You should change your A record so that it point to the Qrator IP address provided during the registration.


How soon will my website be protected by Qrator after changing the A record?

We are ready to start filtering your traffic as soon as your registration is complete. The delay during the connection process is usually caused the DNS rewrite which we are not in control of, so it is not possible to speed it up.


Is it possible to use a single Qrator IP address for several customer domains?

Yes, it is possible in case all these domains have the same customer IP address and use identical or similar web application software.


How many customer website IP addresses can be associated with a single Qrator IP?

You can specify up to 16 customer IP addresses which we will direct the traffic to for a single Qrator IP address in your Personal Dashboard.


How are the requests distributed in case the website has several customer IP addresses?

By default, the round robin algorithm is used.


How soon does the Qrator network react to changing the customer IP address in the personal dashboard?

The changes come into effect in three minutes.


After connecting to Qrator, FTP access to the protected website stopped working. What is the problem?

Most probably, you are trying to connect to the FTP server using the domain name corresponding to the Qrator network IP address. You should access the FTP server using its direct IP address.


Our website will be transferred to a new server with a new IP address Please change the configuration as needed for Qrator protection.

You should do this manually in your Personal Dashboard – you need to choose the given domain at https://client.qrator.net/domains/, change the IP address in the corresponding field, and save your changes.


I need to upload a big amount of large files onto my protected website. Can this cause any problems to the filtering?

We have a limit on the total size of simultaneous POST requests. In case of exceeding this limit the users will keep receiving Error 413. There are several ways to solve this problem:

  1. You can omit the upload.example.com subdomain, which manages the uploads, from Qrator protection. This can also help you to optimize traffic bandwidth that is passed through the Qrator network.
  2. If you have a limited number of customers who perform uploads, you can tell them to put the direct IP address for uploading in their hosts file as example.com and work with it bypassing Qrator completely.

We’ve noticed QRATOR HTTP 504 error messages while accessing our website for administration by HTTPS protocol. We ask to increase the maximum timeout, which now takes about 1 minute.

We recommend you to perform administrative actions on your website directly, bypassing the Qrator system. For this you need to add the “Domain_Name Domain_Client_IP_address” record in your hosts file. On Windows systems you can find the hosts file at C:\Windows\system32\drivers\etc\hosts.


Is it possible to add some of the settings into the control panel of Personal Dashboard?

No, it isn’t currently possible. We keep updating and refining the customer’s interface constantly, so this possibility may appear in future.


We ask you to provide the information about the attack our resources are currently being subjected for.

You can look at the detailed statistics in real time with a 3-minute update interval in your Pesonal Dashboard, at Domains -> Choose Domain -> Statistics.


Where are all our previous tickets in Personal Dashboard?

The previous tickets most likely obtained Closed status and do not appear in Personal Dashboard by default.


How do I know whether the visitor’s IP address is blacklisted or not?

You can check that in your Personal Dashboard, in the following section:

https://client.qrator.net/domains/ -> Choose Domain -> Statistics: Blacklist -> Check blacklist.



I need to change the password at my Personal Dashboard, but cannot find where the corresponding button is.


Personal Dashboard does not display a part of traffic statistics over a specific period. Was our website available during this period?

A skip in the data in the statistics of your protected website’s traffic is not related with the quality of analysis and filtering of the traffic and does not mean the resource's unavailability during the corresponding period.


Sometimes after logging into Personal Dashboard the protected website statistics does not display for some time.

Forming the statistics takes a given amount of time – the longer the displayed period, the more time it takes. When the statistics is pre-formed and cached, it is displayed immediately.


Our website is down for maintenance. How can we tell the visitors about it?

We can display a placeholder HTML page provided by you or redirect the visitors to another specified address for the maintenance period.

Error Codes

We need you to display special web pages to the visitors instead of standard 502, 503 and 504 web application error pages. How can we provide them to you?

If you wish your prepared pages to be shown instead of default error pages in case your application experiences problems, you need to send us the pages in HTML format at support@qrator.net

Error Codes

Please explain HTTP QRATOR 502 error in details.

The meaning of HTTP QRATOR 502 error is the following: receiving a request from a legitimate peer at one of the nodes of the Qrator filtering network we proxy it via the best possible route to the customer IP address of the protected application, attempting to establish a valid connection. We send the SYN packet and wait for SYN-ACK for 9 seconds. In case it doesn’t come back we repeat the SYN sending with another 9 seconds of waiting. If SYN-ACK doesn’t return for the second time, or any other response is received (e.g. FIN/RST/ICMP Destination Host Unreachable etc), we return HTTP Qrator 502 error to the legitimate peer in order to notify that the protected application is unavailable at the moment.

Error Codes

Customer’s web browser displays an error like “Could not connect to the database”, “phpBB: Critical Error” or any other that doesn’t contain “QRATOR” in its text

The Qrator network transfers application messages transparently. This error message was generated by the application which you requested, so it wasn’t initiated by the Qrator network.

Error Codes

We have connected to the Qrator network, DNS has been rewritten, but the attempts to access the website return 403 Forbidden. What is the reason behind this?

The Qrator network doesn’t generate the 403 error messages -- they are probably generated by your web server and we just relay these messages through our network. You should contact your network administrator of hosting provider. It also may be that your web server isn’t configured in the proper way so that all client requests to the application must come only from several Qrator IP addresses.

Error Codes

Our web application experiences slowdowns from time to time – we see 503/504 Error messages appearing. Can this trigger the increase of the number of the blocked visitors? We see in Personal Dashboard statistics that the peak number of error messages corresponds to the peak number of blacklisted IP addresses.

Yes, it is possible. The Qrator network interprets the increasing amount of error messages as a trace of malicious activity and starts to blacklist the most suspicious website visitors.

Error Codes

I cannot connect to my protected website. Can you check this out?

You can check the availability of your website from our filtering nodes by yourself. Try Domains ->Choose Domain -> Traceroute to Server in your Personal Dashboard.


Please block the access to the website from the specified IP/subnet/ network group.

For solving the problems not directly related to automated traffic filtering you can use your own firewall application. Also, in order to be able to edit black- and whitelists manually you can subscribe to our optional service which provides the API (http://qrator.net/rates/). See the details at https://api.qrator.net.


Please provide us with the log records of the attack which targeted our website.

We do not store access log records of the attack traffic.

Log records

All traffic for our website comes from Qrator filtering nodes. How can we figure out our visitors’ true IP addresses by analyzing the IP packet headers?

We append the visitor’s IP address to the X-Forwarded-For field of each packet.


The IP packets coming through the Qrator network show incorrect IP address in their HTTP_X_FORWARDED_FOR header field, although this field is correct in case of direct communication. What can cause the problem?

By RFC, the Qrator network appends the visitor’s IP address to the X_FORWARDED_FOR field. In case you have NGINX and Apache running on your server, NGINX also appends traffic source IP address to the X_FORWARDED_FOR field (in this case the source of traffic is the Qrator network). This means that Apache interprets this header field as <Rеаl Visitor's IP Address>, <Qratоr Network IP address>.

Tweaking the corresponding settings in NGINX configuration makes this problem cease to exist.


The visitor with the IP address XX.XX.XX.XX cannot connect to our website yyyy.com. The address doesn’t show on the Qrator blacklist. How else can we figure out whether it is blocked or not?

If the address is not blacklisted, the user is not blocked by Qrator in any way. For figuring out the details you should post a ticket in your Personal Dashboard with the results of running ping yyyy.com and tracert yyyy.com commands.


Our website was down some time ago (about 10 minutes). Trying to access it yielded the HTTP QRATOR 502 error message. The problem was caused by a failure in the data center. They need the IP address and traces of the problematic route to figure out what caused the problem. Can you provide them?

  • Route tracing data is not stored by the Qrator network. You can see them in real time in your Personal Dashboard at Domains -> Traceroute to Server.
  • 502 Error messages mean that your web application was inaccessible from all Qrator filtering nodes, which means that the data center lost its convergence globally, not only by a specific direction.
Error Codes

How can I whitelist a subnet?

We don’t provide the capability to add subnet IPs into the whitelist, as it is easy to make a mistake and add the whole Internet there, unintentionally. You can use any of the CIDR-to-list converters, e.g. http://www.magic-cookie.co.uk/iplist.html


What kind of traffic is charged?

Within all billing plans we calculate the maximum bandwidth of your website traffic during the month. You should also consider:

  1. Legitimate traffic is the traffic of normal users (malicious traffic is not charged)
  2. Prevailing traffic (maximum of inbound and outbound).

Traffic bandwidth is measured every three minutes. 30 maximum values per month (1.5 hours) is not taken into account. 31th maximum value - the sought bandwidth value.

Billing plans Subscription fee

I do not know how to estimate the bandwidth of my website legitimate traffic before connection to your service. How can I do that? I need to predict a payment amount.

You can connect to our system for a free 7-day trial period. Based on it you will get on your dashboard the desired statistics.

Billing plans Subscription fee

How many times per month and when will I receive a bill for services?

Until the 20th of every month we will charge a subscription fee of the following month, and before the 5th – extra fee for legitimate traffic of the previous month.

Subscription fee

I got protected on 20th day. How a subscription fee will be recalculated for that month?

The subscription fee is charged for the full month, regardless of the connection date. Tip: if you're not under attack, then you probably should not be connected at the end of the month - wait a few days and save a payment for a month.

Subscription fee

Will I get better filtering if I change to a billing plan with higher price?

The filtering comes the same for each billing plan. However, the higher-priced billing plans offer higher quality of service and guarantees, and the priority of your requests will also be higher.

Billing plans

What happens if in case of a DDoS attack incoming traffic exceeds the bandwidth limit provided with the billing plan? Will it impact the quality of filtering?

The quality of filtering will not deteriorate and the attack will be neutralized normally. You will be offered to change to a billing plan that suits your risks best, which will be in effect for at least three months in case you decide to change. Otherwise we may limit all incoming traffic (including legitimate traffic) to the bandwidth provided with your current billing plan.

Billing plans