Qrator defense

Last update: October 08 2024

Qrator defense

DDoS protection in partnership with the company Qrator is available as an optional service for Selectel products:

• Dedicated servers
• Equipment placement and rental of racks
• Selectel Cloud Platform
• VMware-based cloud

Qrator security works at all layers of the network model, including the application layer (L7). In addition, the service can be supplemented with WAF Qrator to protect against hacking of highly loaded web applications.

Principle of operation⁠

When ordering the service, you will be given a secure address to which you need to redirect your traffic. All traffic to the protected address is sent to Qrator filtering nodes, where it is analyzed and cleaned, and then redirected to the protected server in Selectel infrastructure.

All nodes on the Qrator network operate independently of the others. If the filtering node closest to you becomes unavailable, traffic is automatically redirected to the next closest node.

Connecting the service will not protect against DDoS attacks if the attackers know the target IP address. Before connecting, you should remove all references to the IP addresses you want to protect from external resources. If the addresses are already under attack, you should order a new subnet and configure it on your servers.

Cost⁠

The cost of the service adds up:

• from the selected service tariff Qrator defense;
• the cost of additional protected IPv4 addresses if more than one IP address needs to be protected. One protected address is included in the tariff price;
• extra cleared lanes if it exceeds 10 Mbps;
• the cost of a new subnet if it is needed to connect the service.

The service is paid monthly on the 1st day of each month. The start of commercial use of the service is agreed individually.

To view prices for Qrator protection, please visit selectel.ru.

Traffic charging⁠

The filtered traffic that exceeds the 10 Mbps bandwidth is charged. To calculate the bandwidth, the average bandwidth value of outgoing and filtered incoming traffic to the protected IP address is compared every minute, and the higher of these values is taken. At the end of the calendar month 90 maximum values are discarded, then the remaining maximum value is rounded down to a whole number of Mbps. The resulting number is the value of the paid traffic bandwidth.

Attack traffic (unwanted traffic bandwidth) is not charged. For calculation purposes, the unwanted traffic bandwidth is measured every three minutes, 30 maximum values per month are not counted, the 31st maximum value is the bandwidth value.

If the attack exceeds the bandwidth provided by the tariff, the quality of traffic filtering may deteriorate. In this case, we will offer you to switch to the next tariff plan for a period of at least three months. If you do not want to switch to the next tariff plan but want to maintain the quality of filtering, you can limit all incoming traffic, including legitimate traffic, to the bandwidth specified in the tariff.

Connect the service⁠

Before activating the service top up on required amount.

1. If your server only has a public shared address or public IP address, or is already under attack, order and configure a new subnet.
2. Order Qrator Protection Service.
3. Specify a protected address in the A-record of the domain.
4. Add a TLS(SSL)-certificate.

Order and configure a new subnet⁠

A new subnet is required if your server only has a public shared address or a public IP address /32or it is already under attack, i.e. the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• for a dedicated server-- public dedicated subnet;
• of the cloud server-- public subnet.

Order the service Qrator Protection⁠

1. В control panels go to Network services → DDoS protection.

2. Click Order services.

3. In the line of the desired Qrator tariff (Professional, Business, Corporate), press Pay.

4. Check the data and press Pay for the service.

5. We'll create and ship ticket about ordering the service. In this ticket send us:

   • domain to be protected (subdomains will be protected automatically);
   • The IP address to which to send the filtered traffic;
   • email to register in the Qrator personal cabinet.

6. We will process the order and send you a secure IP address in a ticket, which you will need to specify in the A-record of the domain, as well as login details for your Qrator personal account. Connection takes up to one business day.

Specify a secure IP address in the domain A record⁠

1. Go to your domain registrar's control panel where your domain records are stored.
2. In the A-record, change the value to the secure IP address you received in the ticket at the service order.

Add a TLS(SSL)-certificate⁠

1. Log in personal account on the Qrator website. Login and password can be seen in the ticket about service order.
2. Go to the section Certificate storage.
3. Click ADD CERTIFICATE.
4. If you do not have a TLS(SSL)-certificate, you can issue a free Let's Encrypt® certificate that protects a single domain. To do this, open the tab USE LET'S ENCRYPT, press Next, select a domain, enter the domain name, and then tap CREATE CERTIFICATE.
5. If you have a TLS(SSL)-certificate or you want to protect several domains with the same IP-address — open the tab UPLOAD CERTIFICATE, select the file, and then press UPLOAD.
   A certificate to protect multiple domains must be multi-domain: to protect different domains — SSL or UCC with SAN option, to protect domain and subdomains — Wildcard.

View statistics⁠

After connecting and configuring the service, you can view traffic statistics.

1. Log in personal account on the Qrator website. Login and password can be seen in the ticket about service order.

2. Go to the section Reports. Here you can view statistics on incoming and filtered traffic. You can use filters when building statistics:

   • by type (traffic, packets, requests, and so on);
   • by time (5 hours, a day, a week, a month, and so on).

Deactivate the service⁠

1. Make sure that you have reconfigured traffic reception to an address from your subnet. The protected address issued when the service was activated will be deactivated along with the protection.
2. Go to your domain registrar's control panel where your domain records are stored.
3. In the domain A record, change the value to an address from your subnet.
4. В control panels go to Network services → DDoS protection.
5. On the menu. services select Deactivate monthly payment.
6. Optional: file a ticket for refunds for full unused months.