You can check the status in your dashboard by choosing Domains -> Choose Domain -> Statistics. During the attack the difference between incoming and dropped packets becomes significant and easy to notice, and the blacklist is not empty.
There may be three reasons for this situation:
You need to:
We do not specialize in solving cybercrimes, and our filtering technologies do not include the means for identification of the malefactors who order and carry out the attacks.
It could be a network layer attack, which we are able to neutralize without using blacklists. For the details see the Traffic and Packets graphs, and you will notice the significant difference between total traffic for your website that enters the Qrator network and the traffic that is passed to your actual web application.
In addition, because of spoofing, during the attacks on the network layer and lower layers the information in the blacklist cannot help judge whether the attack is underway or not.
We cannot help you in this situation. Decreasing TTL will not affect the situation as the old record is already in the cache of DNS servers with the old TTL value.
Yes, it is the basic principle of the Qrator service operation.
Yes, it can be done in two variants: with disclosure of the client certificate and without it.
HTTPS protection is an optional service that needs to be enabled separately with additional billing.
We can protect such website from the attacks up to sixth layer of ISO/ISO model inclusively. In order to protect your resource from application layer attacks (first of all caused by malefactors who have reverse engineered your web application) we need a brief description of the used protocol or data containing the typical traffic of the protocol in tcpdump format.
We provide DNS protection in a variant of external secondary DNS only as a supplementary feature to the service of analysis and filtering of HTTP/HTTPS traffic.
As you connect to Qrator you can use it for adaptive traffic balancing. For this you need to list all IP addresses of the instances in Amazon, which are configured in ELB, in your personal dashboard in the corresponding section.
Advantages of our solution:
Operation through Amazon ELB service is also supported by Qrator on a separate request.
Qrator service provides protection only for HTTP and HTTPS protocols. We do not work with other types of protocols including mail services.
Most probably these requests come from our filtering nodes. Commonly all client requests are received by the nodes, and after inspection and filtering they are sent further to the protected domain. You can compared the addresses that caught your attention with the ones of our filtering nodes at https://client.qrator.net/infos/ips.
There are a lot of factors that are taken into account during the analysis of the traffic on the oritected website. The main ones are the behavior of the source and the history of its requests. The details of low-layer interaction in TCP context of the website visitor’s actions are also used for the analysis.
The blocked IP address will be excluded from the blacklist no sooner than after 5 minutes and no later than 8 hours – depends on the type of attack it was presumed to take part in.
No, the protection is enabled and disabled only by altering the DNS A record.
Start 2Mb/s has the highest price for the traffic that exceeds the limits (including traffic of the attack) but the lowest subscription cost. Other billing plans charge more for subscription but their cost already includes filtering of an attack for a set bandwidth. These plans also have lower price for the bandwidth of the traffic passing through, and only the legitimate part of the traffic is billed.
The filtering comes the same for each billing plan. However, the higher-priced billing plans offer higher quality of service and guarantees, and the priority of your requests will also be higher.
The quality of filtering will not deteriorate and the attack will be neutralized normally. You will be offered to change to a billing plan that suits your risks best, which will be in effect for at least three months in case you decide to change. Otherwise we may limit all incoming traffic (including legitimate traffic) to the bandwidth provided with your current billing plan.
Yes, you can, although you should consider that in this case all the traffic, including foul traffic of the attack, will be billed. This means that i.e. you get under a 30Mb/s DDoS your payments will amount (30-2)*1500 = 42000 rubles per whole traffic.
In order to change the A record you can use the control panel of your hosting provider in case the provider manages your domain name, or alternatively you can use control panel of the Internet registry that registered your domain. You should change your A record so that it point to the Qrator IP address provided during the registration.
We are ready to start filtering your traffic as soon as your registration is complete. The delay during the connection process is usually caused the DNS rewrite which we are not in control of, so it is not possible to speed it up.
Yes, it is possible in case all these domains have the same client IP address and use identical or similar web application software.
You can specify up to 16 client IP addresses which we will direct the traffic to for a single Qrator IP address in your Personal Dashboard.
By default, the round robin algorithm is used.
The changes come into effect in three minutes.
Most probably, you are trying to connect to the FTP server using the domain name corresponding to the Qrator network IP address. You should access the FTP server using its direct IP address.
You should do this manually in your Personal Dashboard – you need to choose the given domain at https://client.qrator.net/domains/, change the IP address in the corresponding field, and save your changes.
We have a limit on the total size of simultaneous POST requests. In case of exceeding this limit the users will keep receiving Error 413. There are several ways to solve this problem:
We recommend you to perform administrative actions on your website directly, bypassing the Qrator system. For this you need to add the “Domain_Name Domain_Client_IP_address” record in your hosts file. On Windows systems you can find the hosts file at C:\Windows\system32\drivers\etc\hosts.
No, it isn’t currently possible. We keep updating and refining the client’s interface constantly, so this possibility may appear in future.
You can look at the detailed statistics in real time with a 3-minute update interval in your Pesonal Dashboard, at Domains -> Choose Domain -> Statistics.
The previous tickets most likely obtained Closed status and do not appear in Personal Dashboard by default.
You can check that in your Personal Dashboard, in the following section:
https://client.qrator.net/domains/ -> Choose Domain -> Statistics: Blacklist -> Check blacklist.
A skip in the data in the statistics of your protected website’s traffic is not related with the quality of analysis and filtering of the traffic and does not mean the resource's unavailability during the corresponding period.
Forming the statistics takes a given amount of time – the longer the displayed period, the more time it takes. When the statistics is pre-formed and cached, it is displayed immediately.
We can display a placeholder HTML page provided by you or redirect the visitors to another specified address for the maintenance period.
If you wish your prepared pages to be shown instead of default error pages in case your application experiences problems, you need to send us the pages in HTML format at firstname.lastname@example.org
The meaning of HTTP QRATOR 502 error is the following: receiving a request from a legitimate peer at one of the nodes of the Qrator filtering network we proxy it via the best possible route to the client IP address of the protected application, attempting to establish a valid connection. We send the SYN packet and wait for SYN-ACK for 9 seconds. In case it doesn’t come back we repeat the SYN sending with another 9 seconds of waiting. If SYN-ACK doesn’t return for the second time, or any other response is received (e.g. FIN/RST/ICMP Destination Host Unreachable etc), we return HTTP Qrator 502 error to the legitimate peer in order to notify that the protected application is unavailable at the moment.
The Qrator network transfers application messages transparently. This error message was generated by the application which you requested, so it wasn’t initiated by the Qrator network.
The Qrator network doesn’t generate the 403 error messages -- they are probably generated by your web server and we just relay these messages through our network. You should contact your network administrator of hosting provider. It also may be that your web server isn’t configured in the proper way so that all client requests to the application must come only from several Qrator IP addresses.
Yes, it is possible. The Qrator network interprets the increasing amount of error messages as a trace of malicious activity and starts to blacklist the most suspicious website visitors.
You can check the availability of your website from our filtering nodes by yourself. Try Domains ->Choose Domain -> Traceroute to Server in your Personal Dashboard.
For solving the problems not directly related to automated traffic filtering you can use your own firewall application. Also, in order to be able to edit black- and whitelists manually you can subscribe to our optional service which provides the API (http://qrator.net/rates/). See the details at https://api.qrator.net.
We do not store access log records of the attack traffic.
We append the visitor’s IP address to the X-Forwarded-For field of each packet.
By RFC, the Qrator network appends the visitor’s IP address to the X_FORWARDED_FOR field. In case you have NGINX and Apache running on your server, NGINX also appends traffic source IP address to the X_FORWARDED_FOR field (in this case the source of traffic is the Qrator network). This means that Apache interprets this header field as <Real Visitor’s IP Address>, <Qrator Network IP address>.
Tweaking the corresponding settings in NGINX configuration makes this problem cease to exist.
If the address is not blacklisted, the user is not blocked by Qrator in any way. For figuring out the details you should post a ticket in your Personal Dashboard with the results of running ping yyyy.com and tracert yyyy.com commands.
We don’t provide the capability to add subnet IPs into the whitelist, as it is easy to make a mistake and add the whole Internet there, unintentionally. You can use any of the CIDR-to-list converters, e.g. http://www.magic-cookie.co.uk/iplist.html
Within all billing plans we calculate the maximum bandwidth of your website traffic during the month. You should also consider:
Traffic bandwidth is measured every three minutes. 30 maximum values per month (1.5 hours) is not taken into account. 31th maximum value - the sought bandwidth value.
You can connect to our system for a free 7-day trial period. Based on it you will get on your dashboard the desired statistics.
Until the 20th of every month we will charge a subscription fee of the following month, and before the 5th – extra fee for legitimate traffic of the previous month.
The subscription fee is charged for the full month, regardless of the connection date. Tip: if you're not under attack, then you probably should not be connected at the end of the month - wait a few days and save a payment for a month.