Curator's defense

Last update: October 02 2025

DDoS protection in partnership with Curator is available as an optional service for Selectel products:

• Dedicated servers
• Equipment placement
• Cloud servers
• Managed Kubernetes
• Container Registry
• Cloud databases
• VMware-based public cloud

Curator protection works at all layers of the network model, including the application layer (L7).Additionally, WAF Curator can be connected to the service to protect against web application hacking.

Principle of operation

When ordering the service, you get a protected address to which you need to redirect your traffic.All traffic to the protected address is sent to Curator filtering nodes, where it is analyzed and cleaned, and then redirected to the protected server in Selectel infrastructure.

All nodes in the Curator network operate independently of the others.If the filtering node closest to you becomes unavailable, traffic is automatically redirected to the next closest node.

Connecting the service will not protect against DDoS attacks if the attackers know the target IP address.Before connecting, you should remove from external resources all mentions of IP addresses you want to protect.If IP addresses are already under attack, you should order a new subnet and configure it on your servers.

Cost

The cost of the service adds up:

• from the selected service tariff. To see the prices for Curator Protection service tariffs, please visit selectel.ru;
• The cost of additional secure IPv4 addresses if you need to protect more than one IP address.The first secure address is free of charge;
• paying for additional bandwidth if it exceeds 10 Mbps;
• the cost of a new subnet if it is needed to connect the service.

On the day of connection, a one-time payment equal to the cost of the selected tariff is deducted. Then the payment is deducted automatically on the first day of each month. The invoice for payment of additional bandwidth is generated in the control panel within five working days after the end of the calendar month.

A single balance or a basic balance is used to pay for the service depending on the type of balance in the account.

Calculating the bandwidth of legitimate traffic

Only legitimate traffic — cleared of malicious requests — is charged.

To calculate the bandwidth, every minute the volume of incoming and outgoing traffic, which was cleared by the filtering system, is measured.The maximum value for each minute is selected from the obtained values.At the end of the calendar month, all maximum values are sorted in descending order.90 maximum values are excluded from the calculation.The 91st maximum value is rounded down to a whole number of Mbps — this number is the bandwidth value. If the value exceeds 10 Mbps, each additional Mbps is charged separately.

Calculating the bandwidth of attack traffic

Attack traffic is not charged.

To calculate the attack bandwidth, the amount of attack traffic is measured every three minutes. The 30th maximum value per month is not taken into account, the 31st maximum value is the bandwidth value. If an attack exceeds the bandwidth provided in the tariff, the quality of traffic filtering may deteriorate.In this case, we will offer you to switch to the next tariff plan for a period of at least three months.If you do not want to switch to the next tariff plan, but want to maintain the quality of filtering, you can limit all incoming traffic, including legitimate traffic, to the bandwidth specified in the tariff.

Connect the service

Before activating the service , top up the balance by the required amount.

1. Order and configure a new subnet If your server only has a public shared address or public IP address, or if the server is already under attack.
2. Order a favor.
3. Specify a protected address in the domain's A-record.
4. Add a TLS(SSL)-certificate.

1. Order and configure a new subnet

A new subnet is required if your server only has a public shared address or public IP address /32, or if the server is under attack and the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, use the Connect additional public IP addresses subsection of the dedicated server IP address instructions;
• For a cloud server, use the Create a public subnet subsection of the Public Subnets instruction.

2. Order a service

1. In the control panel, click Products in the top menu and select DDoS Protection.

2. Go to the DDoS Protection section.

3. Click Order Services.

4. In the line of the desired Curator tariff (Professional, Business, Corporate), click Pay.

5. Verify the details and click Pay for Service.

6. We will create and send a service order ticket.

7. In this ticket, send us:

   • domain to be protected (subdomains will be protected automatically);
   • The IP address to which to send the filtered traffic;
   • email to register in Curator's personal cabinet. The login details will be sent to this email.

8. We will process the order and send you a secure IP address in a ticket, which you will need to specify in the A-record of the domain.Connection takes up to one business day.

3. Specify a secure IP address in the domain A record

1. Go to your domain registrar's control panel where your domain records are stored.
2. In the A record, change the value to the secure IP address that you received in the ticket when ordering the service.

4. Add a TLS(SSL)-certificate

1. Log in to your Curator's personal account. To log in, use the login and password you received by email when ordering the service in step 2.

2. Navigate to the Certificate Store section.

3. Click Add Certificate.

4. If you don't have a TLS(SSL)-certificate, you can issue a free Let's Encrypt® certificate that protects a single domain:

   4.1 Open the Use Let's Encrypt tab.

   4.2 Click Next.

   4.3 Select the domain that will be used to obtain the certificate.

   4.4 Enter one or more domain names for which you want to issue a certificate.

   4.5 Click Create Certificate.

5. If you have a TLS(SSL)-certificate or you want to protect multiple domains with the same IP address, you can add a certificate. A certificate to protect multiple domains must be multi-domain: to protect different domains — SSL or UCC with SAN option, to protect domain and subdomains — Wildcard.

   5.1 Open the Upload Certificate tab.

   5.2. Select a file.

   5.3 Click Upload.

View statistics

After connecting and configuring the service, you can view statistics on traffic.

1. Log in to your Curator's personal account. To log in, use the login and password you received by email when ordering the service.

2. Go to the Documents section and select Reports.Here you can view statistics on incoming and filtered traffic.You can use filters when building statistics:

   • by type (traffic, packets, requests, and so on);
   • by time (five hours, a day, a week, a month, and so on).

Deactivate the service

1. Make sure that you have reconfigured traffic reception to an address from your subnet.The protected address issued when you connected the service will be deactivated along with the protection.
2. Go to your domain registrar's control panel where your domain records are stored.
3. In the domain A record, change the value to an address from your subnet.
4. In the control panel, click Products in the top menu and select DDoS Protection.
5. Go to the DDoS Protection section.
6. From the menu of the service, select Disable Monthly Payment.
7. Optional: create a ticket for refunds for full unused months.