Skip to main content
Qrator defense
Last update:

Qrator defense

DDoS protection in partnership with Qrator is available as an optional service for Selectel products:

Qrator security works at all layers of the network model, including the application layer (L7). Additionally, WAF Qrator can be connected to the service to protect against hacking of highly loaded web applications.

Working principle

When you order the service, you are given a secure address to which you need to redirect your traffic. All traffic to the protected address is sent to Qrator filtering nodes, where it is analyzed and cleaned, and then redirected to the protected server in the Selectel infrastructure.

All nodes in the Qrator network operate independently of the others. If the filtering node closest to you becomes unavailable, traffic is automatically redirected to the next closest node.

Connecting the service will not protect against a DDoS attack if the attackers know the target IP address. Before connecting, you must remove any mention of IP addresses you want to protect from external resources. If addresses are already under attack, you need to order a new subnet and configure it on your servers.

Cost

The cost of the service is made up of:

  • of the selected Qrator Protection service rate;
  • the cost of additional protected IPv4 addresses if more than one IP address needs to be protected. One secure address is included in the rate;
  • additional cleared traffic bandwidth if it exceeds 10 Mbps;
  • the cost of a new subnet if it is needed to connect the service.

The service is payable monthly on the 1st of each month. The commencement of commercial use of the service is agreed upon on an individual basis.

View prices for Qrator protection at selectel.ru.

Traffic charging

Filtered traffic that exceeds the 10 Mbps bandwidth is charged. To calculate the bandwidth, the average bandwidth value of outgoing and filtered incoming traffic to the protected IP address is compared every minute, and the higher of these values is taken. At the end of a calendar month, 90 maximum values are discarded, then the remaining maximum value is rounded down to a whole number of Mbps. The resulting number is the value of the paid traffic bandwidth.

Attack traffic (unwanted traffic bandwidth) is not charged. To calculate the bandwidth of unwanted traffic is measured every three minutes, the 30 maximum values for the month are not counted, the 31st maximum value is the bandwidth value.

If the attack exceeds the bandwidth provided by the tariff, the quality of traffic filtering may deteriorate. In this case, we will offer you the opportunity to upgrade to the next plan for a minimum of three months. If you don't want to switch to the next tariff, but want to maintain the quality of filtering, you can limit all incoming traffic, including legitimate traffic, to the bandwidth specified in the tariff.

Connect the service

Before activating the service, top-up balance by required amount.

  1. If your server only has a public shared address or public IP address, or is already under attack, order and configure a new subnet.
  2. Order Protection Qrator.
  3. Specify a protected address in the A-record of the domain.
  4. Add SSL certificate.

1. Order and configure a new subnet

A new subnet is required if your server has only a public shared address or a /32 public IP address, or if it is already under attack, i.e. the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

2. Order the service Qrator Protection

  1. In Control Panel, go to Network ServicesDDDoS Protection.

  2. Click Service Order.

  3. In the row of the desired Qrator tariff (Professional, Business, Corporate), click Pay.

  4. Verify the details and click Pay the service.

  5. We will create and send a ticket about the service order. In this ticket, send us:

    • domain to be protected (subdomains will be protected automatically);
    • The IP address to which to send the filtered traffic;
    • email to register in the Qrator personal cabinet.

  6. We will process the order and send you a secure IP address in a ticket, which you will need to specify in the A-record of the domain, as well as data for logging into your personal Qrator account. Connection takes up to one business day.

3. Specify a secure IP address in the A-record of the domain

  1. Go to your domain registrar's control panel where your domain records are stored.
  2. In the A-record, change the value to the secure IP address that you received in the ticket when service order.

4. Add SSL Certificate

  1. Log in to personal account on the Qrator website. Login and password can be seen in the service order ticket.
  2. Go to Certificate storage.
  3. Press ADD CERTIFICATE.
  4. If you don't have an SSL certificate, you can issue a free Let's Encrypt certificate that protects a single domain. To do this, open the USE LET'S ENCRYPT tab, click Next, select the domain, enter the domain name and click CREATE CERTIFICATE.
  5. If you have an SSL certificate or want to protect several domains with the same IP address — open the UPLOAD CERTIFICATE tab, select the file and click UPLOAD.
    The certificate to protect several domains must be multi-domain: to protect different domains — SSL or UCC with SAN option, to protect a domain and subdomains — Wildcard.

View statistics

After connecting and configuring the service, you can view traffic statistics.

  1. Log in to personal account on the Qrator website. Login and password can be seen in the service order ticket.

  2. Go to Reports. Here you can see statistics on incoming and filtered traffic. You can use filters when building statistics:

    • by type (traffic, packets, requests, and so on);
    • by time (5 hours, a day, a week, a month, and so on).

Deactivate the service

  1. Make sure you reconfigure to accept traffic to an address on your subnet. The protected address issued when the service was activated will be deactivated along with the protection.
  2. Go to your domain registrar's control panel where your domain records are stored.
  3. In the domain A record, change the value to an address from your subnet.
  4. In Control Panel, go to Network ServicesDDDoS Protection.
  5. From the services menu, select Disable Monthly Payment.
  6. Optional: create a ticket for refunds for full unused months.