DDoS attacks protection

In early May, 2019 the public cloud platform Yandex.Cloud encountered a first persistent series of DDoS attack. For security reasons we could not announce the incident earlier and can break a story only a month later.
Hackers attacked two cloud clients at once 1.5 hours apart. The first attack was observed at 7:40 p.m. Moscow time with 145 Gbps bandwith, the second wave of DDoS with 159 Gpbs was detected at 9:21 p.m – quite considerable figures for a cloud infrastructure, particularly young.
The attacks were performed with DNS Amplification. Both attacks lasted no more than a minute, and while attacking the second cloud client hackers tried to change tactics to increase effectiveness of the attack. However it did not work: Yandex DDoS Protection service developed in collaboration with Qrator Labs helped automatically mitigate both attacks by the Qrator network, and no further attacks attempts were detected. Perhaps these were “test strikes” - the attackers checked whether the cloud was ready for such threats, and if it made sense to repeat attacks in the future.
The Qrator network with multi-terabit bandwidth and high-capacity processing capabilities successfully filtered the DDoS attacks. Moreover, both attacks went completely unnoticed by the clients: their services remained the usual mode of operation.
The cybercrime market is developing dramatically. The range of hacking tools is getting broader so new types of attacks are recorded even more rapidly. Online businesses are at higher risk: almost every company faced a cyber attack just for once. So, all Yandex.Cloud clients are highly recommended to protect their business against DDoS attacks and connect to the Yandex DDoS Protection service integrated into the cloud infrastructure. This will help to maintain business efficiency and provide the highest quality of customer service.

Founded in 2005, Dailymotion is the 3rd largest online video streaming service in the world that connects over 250 million users. Dailymotion is available worldwide in 18 languages and 35 localized versions featuring local home pages and local content.
Video streaming delivery needs a fast and stable connection through the Internet to the end users, otherwise the quality of video streaming would degrade. When video codec needs to frequently adapt to an unstable Internet connection, it causes playback freezes, jumps in time and long buffering times. When the Internet transit is unstable, route changes can often occur and some may affect the RTT (Round Trip Time) dynamics, which has a direct negative effect on the quality of a video.
To monitor all possible BGP anomalies in real time, Dailymotion opted for the Qrator.Radar global Internet monitoring service, due to a high level of performance and the ability of the system to detect a larger number of routing events.
Dailymotion NOC (Network Operations Center) looks after all possible issues that could impact the quality of video delivery over the Internet. It collects information about the prefixes affected by leaks, as well as bogon networks (IP address announcements which normally should not be listed in Internet routing tables) and other routing incidents. Qrator.Radar provides the data which helps to analyze the network online in real-time, to correlate user issues with routing incidents, and to take immediate corrective actions to provide the best video experience to the end users.
"Data transfer stability and optimal routing are key factors for a nominal video delivery process. Network lags, jitter (variation in the traffic latency due to network congestion), time drifts, or internet routing changes — all of these are potential issues which may cause a degradation of our service”, says Christian De Balorre, Head of Dailymotion IP network engineering.
"Qrator.Radar is one of the Qrator Labs' core products which we have been developing continuously. Qrator.Radar helps owners of standalone systems identify the anomalies affecting the quality of network services in real-time and respond quickly to incidents, ensuring better network performance. Dailymotion adheres to the highest standards to ensure the continuous availability of its network resources. Our global Internet monitoring system will help Dailymotion to provide even much better service to their customers and improve their NOC efficiency," says Artem Gavrichenkov, CTO of Qrator Labs.

The moment we chose Qrator Labs as the DDoS-mitigation provider, we were already protected. With our previous solution we felt unprotected because of their slow reaction time to attacks and their scrubbing quality, or poor attack recognition, which generated too many false positives. Communication with their technical support was slow and often ineffective, we could not get answers to our questions.
Eventually, we realized this had to stop, so we began to search for a more appropriate solution. We had already heard of Qrator Labs, and its founder Alexander Lyamin, so we decided to consider the Qrator mitigation network. After our initial tests and market analysis, it was clear that the offer from Qrator had the best price/quality ratio.
Lazada is the fastest growing marketplace in South-East Asia and it must always be available for both customers and merchants. “Availability” here means not only that the website itself is accessible, but that it is reached as quickly and seamlessly as possible.
Paths of escalation during attacks are critical; sometimes there is no other way than to call the CTO… however, we never did.
Based on 16 months of experience with Qrator Labs DDoS mitigation service we can state that proficiency of their technical support differentiates the company from any other providers on the market. The combination of this high quality with their speed in processing technical questions, issues and requests makes the Qrator Labs network operation center and their tech support team one of the best in IT security. Since attacks and incidents are unpredictable, it is vital that when they happen, communication remains precise, fast and professional in order to satisfy the customer.
We do not need to mention the quality of Qrator’s scrubbing and attack mitigation since its high quality is taken for granted—a company with our size and technical requirements cannot afford to settle for providers that are not fully open and do not have our total confidence.
We experience on average one minor attack every one to two weeks. Every two to three months, we experience serious reinforced attempts to DDoS-attack our system. Once or twice in a year, we see extreme incidents, even targeting entire network, to which we must respond immediately and aggressively to cure together with Qrator Labs engineers. Sooner or later, attacks become routine, something that happens and we know that, but we would see the details in the next day’s report.
We measured the latency of our network and the speed with which our average user sees a page delivered in the region we operate, and Qrator Labs is improving those parameters slightly. There’s not much room for improvement though, and a positive change by several milliseconds is a lot in this case.
After one year of working together we asked Qrator Network to protect our DNS too. We had some specific feature requests that Qrator Labs quickly implemented, within weeks, which is fantastic. It can be difficult of require such customized solutions but when the feature is delivered exactly as hoped - it feels great.
Working with such a company represents an exciting opportunity for us.

Viktor Seleznev, head of the information security infrastructure support group of Raiffeisenbank:
In the financial industry, reputation is one of the most critical factors of a bank's success. And reputation is inextricably linked to security. If a financial institution's online services become unavailable, it instantly undermines its credibility and whittles away the trust in customer relationships. Raiffeisenbank is one of the most reliable banks in Russia and the most convenient Russian bank according to the American edition of Forbes; thus, even minimal resource downtime is not acceptable for us.
For over six year we have trusted Qrator Labs to ensure business continuity and protect against network attacks. The Qrator filtering network mitigates any DDoS attacks in real-time, detecting abnormal traffic, and instantly blocking it.
It is especially crucial for us that the system can block high-capacity network-level attacks and in automatic mode, thus minimizing the response time to any attacks.
Today, more than 100 Raiffeisenbank services are under Qrator Labs protection. There is no doubt that Qrator Labs is a reliable partner for any business which needs its infrastructure to be protected from network attacks and ensured its continuous operation.

Türk Telekom, with over 180 years of history, is the first integrated telecommunications operator in Turkey. Türk Telekom Group Companies provide services in all 81 cities of Turkey with over 34 thousand employees onboard, bringing the vision of introducing new technologies to Turkey and accelerating Turkey's transformation into an information society.

For national operators of such a level as Türk Telekom, it is crucial to detect network anomalies that can significantly impact the availability and quality of their services at the global routing level.
For global traffic monitoring and anomalies detection purposes, Türk Telekom was looking for a specialized tool working at a level of inter-domain routing.

Qrator Radar could meet all the customer's precise requirements as the world's biggest Internet monitoring service with more than 800 ISPs worldwide, providing data on all networks available within routing tables.

Qrator Radar helps Türk Telekom detect global connectivity incidents such as Route Leaks, BGP Hijacks. The opportunity to get notifications on BGP anomalies in real-time allows the immediate reaction to the incident, mitigating possible adverse outcomes for business and ensuring better networking overall.

This comparison was made by SDVentures at the end of 2017 and original methodology was the following:
“ With the help of websitepulse.com tools, from 3 locations within mainland China (the first column) data centers we made 5 measurements to the specific destinations (second row). We discarded 1 best and 1 worst results, averaging 3 results left*.
The whole point of this case is about the professional quantitative approach in benchmarking new products and services, as well as comparing services regarding specific requirements and use cases. The methodology could be improved continuously, as well as questioned, however, since this is not something of Qrator Labs production we have decided to take these measurements into our 2017 annual report on the state of cybersecurity.
Such tests illustrate the correct and practical approach for obtaining benchmark metrics in the form of business-specific performance indicators. Such activity in benchmarking cloud services shows that the level of technical proficiency at the company, running those tests, is high. Not believing marketing materials and conducting own research is a good thing, as we have said multiple times earlier and the main reason for open-sourcing our set of the RIPE Atlas tools to simplify such activities for interested parties.
Being able to formalize such parameters you want to test and reason them is very important and not comfortable in most situations. Measuring incorrect parameters would not help you understand what product or service is better suits your business case. Mainland China is also a highly specific case for measuring, because of the well-known Great Firewall and how it influences standard packet transmission and processing.

* Given methodology and results originate from our customer and should be considered with precaution.

Olymp Trade trusts professionals the fight against cyber attacks
The financial company Olymp Trade emerged in 2014, and in such short time managed to occupy an exceptional place in the market. The usage statistics of the online platform is impressive: the number of simultaneously trading sellers reacher 20,000. Moreover, within a month 100,000 new traders make about 15 million transactions.
Such financial activity on the Internet cannot stay unnoticed, and therefore the issue of the possible cyber attacks remains hugely urgent.
Engineers of Olymp Trade note that intruders attempts to hack the system have repeatedly been observed. However, significant negative consequences on the system and critical losses can be avoided through a combination of technical and administrative measures. For example, by a separation and additional protection of funds circulating in the system: «just like that» you would not be able to withdraw the money. Any withdrawal attempt should receive information from the account holder. Thus any suspicious activity would be instantly suppressed.
Crucial moment
Some time ago, Olymp Trade first encountered a persistent DDoS attack - the largest in company history. Hackers planned to disable the system and start demanding money. Employees received various letters with direct threats and extortion.
«It is fair to admit that we did not immediately realize that the abnormal activity is hiding a real threat,» said Olymp Trade representative. «By carrying out extensive advertising activity, we already faced a severe increase in requests that put a significant load on the platform, and at first believed that our system does not withstand a large number of new and relevant users. It seemed to us that this traffic was valid until the experts began to disassemble it by logs.
Attempted attacks aimed L2 and L7 on several vectors, starting with trial strikes on our service and ending with a long night series of continuous requests. Our 24-hours technical support service immediately reported a significant deterioration of service and instability of the platform: at night we raised the team of our technicians and, having evaluated the problem, started switching to the Qrator filtration network.»
Sometime after connecting, learning and setting up the network, all the garbage traffic was filtered out, and the work was normalized.
Mobile hacking
For customer’s convenience, some mobile applications do not require captcha input, and intruders try to use that for their sake. Olymp Trade periodically encounters attempts to compromise the end devices and applications - for example, in the case of brute forcing passwords. The company is aware of such efforts of exploitation and actively fights them. To protect customers new algorithms for the account protection are introduced, WAF is adopted to prevent the risk of hacking the trading application.
At the same time, some possible attack vectors are weakly controlled. Infected by the virus Android device that redirects SMS to the malefactor, desktop keyloggers are the nowadays reality. It is difficult to reverse the situation because this vulnerability exists on the side of the end user. We should pay tribute to the Olymp Trade technical support specialists, who always warn traders about possible non-market risks and try to find the best options for ensuring their security.
No pasarán!
Olymp Trade notes that not all attack types could be efficiently mitigated on own forces - often it is economically exhausting.
After connecting to the Qrator Labs mitigation network, the company’s services entered the usual mode of operation. However, this does not mean that the attacks ceased forever: for several weeks, strong cyber attacks were observed. However, even after hackers switched the attack vector, the Qrator network quickly adapted to the changes and efficiently neutralized new mass queries. Work of support technicians and developers should also be noted, who promptly joined the process of analyzing further attacks.
Olymp Trade considered DDoS-mitigation services from several contractors, but, in the end, made the Qrator Labs decision. Among the main reasons - a positive teamwork experience, high professionalism and a complete understanding of the internal technical structure of the financial company.
«The effectiveness of the Qrator Labs solution is high», summed up the Olymp Trade representative.

It's not a secret that all is fair in Love and War. Tanuki, a restaurant network, found it out the hard way in Autumn 2021. On August 29th, Vladislav Pozdnyakov, the founder of the “Male State” movement waged war on all restaurants operating under Tanuki brand in his Telegram. The spark that set off the fire was the ad pictures of a black male model holding a rainbow flag that Tanuki had published on Instagram. The activist threatened to bring their business to a standstill if the company didn't delete the pictures and apologize “to the nation”.

The company’s representatives refused to cater to the threat and stated that “their plans did not include deleting pictures and making apologies" as all accusations were groundless, even from the point of the Russian legislation.

After Tanuki had refused to comply, mass bullying and trolling was launched. There were false calls to law enforcement about bombs at restaurants, the activists set up spam-attacks, ordered delivery to non-existent addresses, made orders and then refused to pay imitating bots’ activity. The cherry on the top was a series of DDoS-attacks on Tanuki’s website and apps after Vladislav Pozdniakov, the nationalist movement leader, had encouraged his Telegram followers to fund further attacks.

From August 29th through September 13th the list of blocked IP-addresses exceeded the 5 thousands threshold 15 times; in 9 cases more than 19 thousands IP-addresses were blocked. Even between the peaks the number of blocked addresses rarely dropped below 400*. At least seven attempts were made to exhaust channel capacity with amplification attacks, the most powerful of which was over 77.9 Gbps.
* The Source IP was blacklisted; the addresses from the black-list cannot get access to the web resource
Detailed timeline of the first attacks

The first attack started at 15:00 on August 29th; it didn't have any significant impact until 19:42 when the number of incoming traffic started to grow exponentially and the attack reached 7.08 Gbps at its peak. All of those were requests of the main page from multiple IP-addresses. 21.72 thousand IP-addresses had been blocked by 19:46. There were fresh attempts to attack the website at 20:11 and 21:19 (which were the peak periods for online orders) but as traffic of the services had been automatically filtered by Qrator Labs network, the assaults had hardly any impact on the resource’s availability whilst extending the black list to 30.2 thousands of addresses at its maximum.

Around 9 a.m. on August 30th Vladislav Pozdnyakov published a detailed instruction for the attackers in his Telegram channel. The attack started at around 14:40, followed by the third wave of attacks, the longest one lasting 630 minutes. During a short break between the second and third waves, the attackers made one of the most massive attempts to exhaust the channel capacity with incoming traffic at 77.9 Gbps, but at the peak of the attack Qrator Labs network passed only 3.84 Mbps at most, which had no effect on the protected resource at all.

As a rule the intruders used different proxy-servers during the attacks, so that the top addresses during the most attacks were from Brazil, Indonesia, Iran and India.

On September 13th the “Male State” Telegram published its last call to attack Tanuki. Even though after that date DDoS attacks were no longer coordinated via Telegram chat, they didn’t actually stop. There were another 6 attacks before December 1st; more than 5 thousands IP addresses were blocked during each of them.

Curiously enough, September 28th witnessed the most intense attack of the entire "Internet war", but, unlike the others, the traffic from the RU segment was not increasing, so we can assume that this attack was not "Male State"-related or was ordered by one of its members without coordination with the other participants. The attack lasted 260 minutes, around 33,700 addresses were blocked and the rate of incoming traffic was 132.85 Gbps at its peak.

On October 18th, 2021 Nizhegorodskiy district court found “Male State” to be an extremist organization thus banning its activity across Russia. Now Tanuki is attempting to claim damages through the legal system.

“The Qrator Labs network has helped us maintain a high level of customer service during the “Male State” attacks. We are grateful for our partner’s support. Qrator Labs specialists were always available, the attacks were quickly mitigated and hardly had any effect on our services, although we did experience massive waves of DDoS-attacks. The attacks gave us an opportunity to update our web infrastructure and our tech team gained extensive experience. It will help us ensure sustainable development and reliability of Tanuki’s services, and next time we will be well-prepared for such events no matter what scale. It’s worthwhile experience for us and we are ready to share our knowledge with those who face such issues” commented Ilya Silinevich, Chief Technology Officer of “TanukiTech”.

After the happy ending of the conflict with “Male State” Tanuki team decided to subscribe to another service by Qrator Labs without limiting themselves to DDoS-attacks protection. At the moment the company is implementing and testing Bot Protection product. Previously, Qrator Labs support service helped Tanuki to combat bot activity, including malicious activity not originated by DDoS attacks, when attackers simulated bot activity on the website by putting products in the cart and abandoning them. Now the website and the mobile application of the company will proactively filter bot traffic with the help of Qrator Bot Protection solution.

At the end of the March 2017 a powerful attack on the data center where Tilda Publishing, offering flexible online web page creation tool, hosted their infrastructure was made. An assault lasted for a few hours, making the Tilda platform inaccessible for its clients, and thus switching those websites created with the Tilda out of the service.

It is known that a sophisticated DDoS-attack influences the whole data center infrastructure, affecting not only an attacked site or service but pressuring other servers working on premise, utilizing the same physical connection channel to other ISPs. That is the main reason why we frequently observe blackholing a service under attack in an attempt to mitigate further collateral damage could be made to the whole infrastructure and extensive clientele. This what happened to Tilda Publishing, disconnected from the service for 2 hours.

This situation is not something unique — lately, this is a common way of mitigating a DDoS attack, saving everyone else except an attacked service. So you should not be surprised when your server becomes utterly disconnected under severe attack, which could not be adequately mitigated by your connection or hosting service provider.

In the digital world, even a couple of hours without a constant connection and the denial of service for clients would severely affect the long and middle term business condition and its growth path. So Tilda Publishing turned to the Qrator Labs for a solution and active mitigation.

Filtering all traffic within the Qrator Labs cloud mitigation network, Tilda Publishing cuts off the infrastructure, reputational and financial risks and possible damages. All of this is of great importance while speaking about international service providing a tool for users all around the globe.

Besides an attempt to mitigate an incoming DDoS-attack in-house is always a great stress since technicians have to deal with events happening at an inopportune time since attackers choose such periods for their attacks when observation and monitoring are being held passively — at night or during weekends.

Tilda Publishing reacted fast — in the startup world, where the speed and growth mean so much, little probability risks are often taken off the equation. Until the first attack and a possible denial of the particular service, which is the moment of making a right and long lasting decision, keeping in mind all the “pros” and “contras.” Qrator Labs is proud to provide Tilda Publishing with constant availability and distributed denial of service attacks mitigation.

Tilda Publishing setup:
— Under attack mitigation service adoption in short term;
— 100% uptime with 0% denial of service;
— Uninterrupted and high availability of all Tilda Publishing services;
— Full scale of DDoS mitigation (up to ISO OSI L7);
— Professional and always-on technical support.

In October 2019 Sberbank and the consolidated company FoodPlex launched SberFood, an application that lets users quickly choose a restaurant or a café, book a table, preorder food and beverages, pay the bill and leave a cashless tip. SberFood comprises a mobile app with services for guests and Plazius Marketing Cloud, a CRM and loyalty system for restaurant customers. The platform serves as a bundle of helpful tools to automate marketing and revenue growth from frequent visitors.
SberFood became one of the food-tech development headliners in Russia. It integrated digital technologies into restaurant business and supplied restaurants with new marketing tools and modern know-how to reach new audience.
Just like any other high-tech business, SberFood faced a pressing need to ensure continuous availability of its app with a wide user base in 150 cities throughout Russia.
Service degradation caused by DDoS attacks and breaches of popular mobile platforms can have severe impact on the loyalty of customers and restaurant sales. In order to reduce infrastructure risks the company decided to connect to the Qrator traffic filtering network and mitigate DDoS attacks. WAF (Web Application Firewall) was set up as an additional measure to protect the web app from hackers attacks while blocking malicious traffic and bots.
The WAF consists of a proactive filter that blocks most of the attacks on the web application, a vulnerability detection system, and Virtual Patching. The latter protects the application from exploits of the vulnerabilities blocking attack and intrusion attempts in online mode. In 2018 the customer made all necessary arrangements for bots protection. This included tagging bot traffic and recognition of the most frequent parsing and fraud sources, including proxy servers and TOR.
Due to proactive connection to the security services, the app's launch and its further functioning went flawless. The synergy of Qrator Labs analytics and the customer's cooperation help effectively minimize malicious bots activity.
________________________________________
FoodPlex is a consolidated company including SberFood, a platform helping users book a table, enjoy special privileges, make a reservation, quickly pay the bill and leave a cashless tip. It also consists of the Plazius Marketing Cloud digital marketing and payment system, the Afisha-Restaurants media service, the Smart Reserve booking system and the restaurant automation system r_keeper, which automates functions in a restaurant hall, kitchen, storage room, office and accounting department. Sberbank and Mail Group are shareholders of the company.

During the COVID-19 pandemic, businesses worldwide faced increased economic risks and threats to security and availability of their web resources. In the wake of the COVID-19 outbreak, cybercriminal acts have become more frequent, and websites began to experience enormous loads.
The most intense attacks during these three months were targeted at the education sector, primarily online diary services and educational platforms. According to Qrator Labs, at the end of March 2020, number of attacks on online courses and distance learning services industry dramatically increased four times if compared to February 2020. It was first due to students’ attempts to avoid further online education. Also tools for organizing DDoS-attacks are available even to the younger generation and as there is a great competition in this market – companies can resort to any means, even illegal, such as DDoS-attacks, in the fight for the customers and government funding.
On March 16th, 2020, Foxford online school opened free classes for all 1st – 11th-grade students who found themselves in self-isolation due to the coronavirus pandemic. Immediately after that, the company's services were exposed to regular intensive denial-of-service (DDoS) attacks.
In March, more than a dozen incidents were recorded. The most serious incidents occurred in the second half of the month. From March 23rd through March 30th, five DDoS attacks with a total duration of over 25 hours were organized. The largest incident occurred on March 30th; the online school experienced a massive DDoS attack that lasted more than three hours, reaching its peak size of 160 Gbps, while the average volume of most attacks today does not exceed 40-50 Gbps.
It should be noted that along with the typical DNS amplification attack, attackers actively used TCP-based attacks, including SYN flood (sending a large number of SYN requests (TCP connection requests) in a fairly short time). Botnet-based DDoS attacks on the application layer coming from Russia and South-East Asia were also detected. Although not a rarity in itself, such an aggressive attack profile was not previously typical to online school resources (at least, excluding a short period from September 1st through 5).
The school's resources continued to be attacked in April. For example, the April 6th attack was application-based and used a botnet with IP addresses belongIng to various companies from the United States, South America, and Southeast Asia.
Such a diverse nature of the parasitic traffic sources suggests that the online school was a constant target of targeted DDoS attacks. Various groups of attackers, each of which set its main goal to disable the service, were engaged in the organization of the attacks.
"Offering online protection services to many educational platforms for several years in a row allows us to note how much younger modern attackers have become. The DDoS-attack toolkit has become available to experienced programmers and the younger generation representatives who are successfully involved in cybercrimes. Students can arrange DDoS attacks quite independently or, in some cases, they even find funding for the use of third-party performers. Today an attack with an average volume size of 40 Gbps is enough to stop work of any web resource. However the Foxford attack on March 30th was a professional job. Such an attack, with a volume size of more than 150 Gbps, requires significant financial investments to rent servers, ensure the necessary technical infrastructure, and, possibly, attract professional attackers," – says Artem Gavrichenkov, CTO of Qrator Labs.

When millions of transactions per day are effected through the payment system, the availability of web resources becomes a critical part of the business.
Qrator Labs is our reliable partner who has helped to ensure the SLA that is necessary for business and has expressed flexibility in dealing with our complicated web infrastructure.
Separately we use Wallarm for web applications protection and extensive API. We are particularly pleased with being able to integrate both solutions into our incident response center and monitoring system.

For some time now, Qrator Labs has been a reliable provider of network security services and protection against DDoS attacks and other Internet threats for A1 Systems.
"Due to continuous traffic filtering, minimum incident response time, and instant mitigation of the most complex intellectual cyberattacks, Qrator Labs ensures the availability of our resources in 24/7 mode. The Qrator Labs service offers reliable protection for business from network attacks of any complexity. A1 Systems is the first Russian company to provide eSIM profile management services on a commercial basis. We have successfully passed the initial audit by the GSMA, obtaining SAS certification for subscription management (SAS-SM). Thus, the continuous availability of technical infrastructure for our customers is a critical part of our business. Service downtime is not acceptable for us", says Leonid Markovich, Head of Marketing Division of A1 Systems.

In May 2021, the cryptocurrency market experienced one of its worst days since March 2020. The total market capitalization collapsed by more than $ 500 billion, and the bitcoin rate dropped to $ 30,000 for the first time since the end of January. This rate drop caused a new surge in DDoS attacks.
DDoS attack botnets are also used to mine cryptocurrencies. When cryptocurrencies rates get high attackers redirect botnets powers to mining, which becomes much more profitable. While the decrease in cryptocurrencies rates botnets are monetized in a different way – by arranging commercial DDoS attacks.
So, against the backdrop of a cryptocurrencies’ sharp collapse on May 25, 2021, Cindicator and its product Stoic, a crypto trading artificial intelligence bot, were exposed to two large-scale DDoS attacks, arranged within 2 hours interval.

The duration of each incident hardly exceeded 15 minutes of continuous malicious traffic. In the first episode, the DDoS bandwidth reached 160 Gbps. It was a low-level flood that was successfully filtered by the Qrator Labs network. During the second more serious episode, the attack bandwidth reached 487 Gbps and 47 MPPS, affecting the application layer: the attackers generated more than 8 thousand requests per second to the attacked web application. The filtering system blocked about 4 thousand bots, 25% of which were in Southeast Asia and the Russian Federation.
The high potential of the Cindicator project in the scope of rapid cryptocurrencies development makes it very noticeable in the competitive trading market that gives rise of frequently organized DDoS attacks.
“The safety of Stoic users is our top priority. Connecting to the Qrator Labs network has helped Cindicator to mitigate infrastructural risks and in the meantime avoid the reputational ones, which is highly important when working with a large number of users. We cannot afford even a single minute of downtime. Our platform must run like clockwork 24/7, and cooperation with Qrator Labs helps us reach this continuous availability. The filtering network mitigates DDoS attacks of any complexity in a completely invisible mode, which makes it possible to focus on our business tasks to create a holistic and in-demand traders ecosystem,” comments Vlad Kazakov, Head of Products at Cindicator.

Online ticket sales are rapidly gaining momentum in Russia. The e-ticket share of the overall ticket sales market in Moscow and St. Petersburg may reach 90–100% in certain event segments. The industry is gradually transitioning online. On the one hand, this opens up new opportunities for market players, and on the other hand, it entails additional security risks that are unavoidable. Kassir.ru, the largest ticket operator in Russia, is at the forefront of this industry trend. In 2018, the company sold more than 6 million tickets with a total face value of over RUB 10 billion.
For large companies such as Kassir.ru, which have a complex infrastructure and business processes, it is a particular pressing issue to ensure a high level of information security, since any stoppage of the ticket operator’s service at a national level can entail enormous losses. This is not to mention the significant loss of reputation in the eyes of customers in the case of such an event, since they often desire the ability to purchase tickets online at any time of the day.
DDoS attacks together with fraud are consistently ranked among the top threats to businesses in the e-ticketing industry. It is no surprise that Kassir.ru decided to take preventive measures to protect against DDoS on the basis of an analysis of its competitive environment and trends in Internet attacks. The company compared several DDoS mitigation solutions in practice, and as a result of such testing it opted for the Qrator Labs traffic filtering network.
Kassir.ru Technical Director Kirill Dyakov commented as follows: “Qrator is a market leader. The development of proprietary filtering algorithms and reliance on a professional development team as well as, of course, the simplicity and ease of use of the service are the decisive factors that we consider when choosing a solution for filtering DDoS traffic. For a high-tech business like Kassir.ru, it is very important that we are able to continuously protect against attacks and that this protection remains as invisible as possible for our customers. It is also important for us that the services are able to operate stably under heightened user loads, such as, for example, during nationwide promotions. On such days, the number of simultaneous system queries may be dozens of times higher than what is true of a normal day. We are currently confident in our level of preparedness to handle such stressful situations, and these preparedness measures include our partnership with Qrator Labs.”
It took several months to set up a Qrator network connection: first there were test traffic runs, and then we tested the system in “combat” mode. Once we completed our monitoring of the service and were satisfied with the quality of the provided service, Kassir.ru became an official customer of Qrator Labs in January 2019. It did not take long before the company encountered its first deliberate attempt to disable the system using a DDoS attack. The attack was small, and apparently it was designed to probe our system’s weaknesses: the speed did not exceed 1 Gbps, and the most intense period of “bombardment” with garbage queries lasted no more than a few minutes. The Qrator network instantly and automatically neutralized the attack, and when the attackers subsequently realized that our system used “smart” traffic filtering, they decided against trying to repeat the incident.
As a high-tech and fast-growing company, Kassir.ru constantly seeks to expand its business and attract new market players and partners to its ecosystem. At the same time, the company is also developing its IT infrastructure. The highest priority of these efforts is to ensure fault tolerance and 100% service availability. Founder and CEO of Qrator Labs Aleksandr Lyamin commented: “We would like to thank Kassir.ru for choosing the Qrator solution to neutralize DDoS attacks. Our filtering network is able to expand in tandem with the development of our customer’s business, and it adapts to meet its goals. We are prepared to offer our platform and expertise to support the roll-out of our customer’s national ticket operator platform, which is one of the most challenging and ambitious projects.”

The largest Russian classified advertisements website is an exceptional customer to Qrator Labs. With high legitimate traffic amount, the company turned to Qrator Labs for a filtration solution in the year 2011 and continued partnership ever since.

The main DevOps and DevSecOps approach in Avito is straightforward and transparent:
— Usage of simple though efficient technologies and methodologies;
— Economics effectiveness estimation of every solution tended to be integrated;
— The quality of service and infrastructure control for users, based on own or borrowed expertise.

DDoS mitigation became one of the few areas where Avito decided to trust a third-party vendor. Besides, Avito developers got all the infrastructure control options thanks to the Qrator Labs control panel.

For six years Qrator Labs provided traffic filtration in spite of the dynamic growth of the Avito userbase.

The availability of the service and decentralization of the network infrastructure are issues of great importance for the Avito, as well as the network perimeter readiness for hacking attacks. The Avito self-awareness in DDoS mitigation was not enough, which is the main reason why Avito came to Qrator Labs.
In 2015-2016 Avito completed the relocation of existing infrastructure from one datacenter to another, which resulted in a change of the network topology. While looking for the right solution, Avito considered standalone CPE as well as cloud DDoS mitigation service providers. However, the CPE flexibility was more than required for Avito, as well as the technical support was not ready to answer all calls and questions about installation and configuration on a short term.

That is why Avito decided to ask Qrator Labs to help, consult and oversee the creation of the new network for the company’s autonomous system. Among the major requirements to that network were: security, high availability and failover tolerance.

“Working with Avito exposed greater obligation for our filtration network effectiveness, but we were able to provide extensive options for flexible connection of the company’s network to the mitigation cloud. We are happy that this partnership proved to be successful throughout the years of joint work”, - says Qrator Labs CEO Alexander Lyamin.

Due to the solely digital broadcasting, the “Rain” TV channel has been paying considerable attention to the resource possible distribution issues, ensuring high accessibility, putting failure absence and uptime in the first place since the start of broadcasting. This priority of uninterrupted broadcasting is so high for the “Rain” that in the case of a server failure company has always a few more in stock, putting them online with the help of Qrator client tool.
In September 2003, Alexander Lyamin, the founder, and CEO of Qrator Labs was invited to the broadcast of anchorman Pavel Lobkov to answer questions about successfully mitigated denial of service attack on the “Rain” TV channel, describing it in details.
That attack was sophisticated - failing on the first attempt, the attackers who tried to put the “Rain” TV channel website down switched to the broadcaster internal infrastructure, seeking to disable stable transmission of the video stream. For a period they even achieved their goal, shortly before Qrator Labs took protection over those servers.
According to the channel representatives, for several years they do not need to think about DDoS attacks and whether they are present. This does not mean that there are no attacks — they are conducted from time to time, but thanks to Qrator Labs solution neither technical experts nor viewers do not notice them.
“Rain” TV channel also utilizes WAF solution, though adding that the vast majority of attempts to “break” anything on the network perimeter are detected with their resources and means.
The digital broadcaster is so satisfied with the Qrator Labs services so much that have not even tried products and services from competing companies.
Requirements of the “Rain” TV channel:
— Continuous availability of the platform and internal corporate network resources;
— Zero denial of service;
— Full protection throughout the ISO OSI model;
— Under attack service adoption and successful neutralization in a short period.

Today, every business operating in the fast-food industry knows about the international phenomenon of Domino's Pizza. The company managed to become one of the fastest-growing in the food industry and achieve a 16-fold increase in sales in Russia since 2014. Thus, in 2019 the company's online sales grew by 30%. Today, in the wake of the COVID-19 outbreak, which caused the adoption of self-isolation measures worldwide, online food delivery's popularity continues to grow. It accounts for more than 80% of all sales.
Domino's Pizza Russia is one of the leaders in the pizza delivery segment. Thus, the company needs to be online 24/7 because every second of downtime means severe financial losses and reputational risks. The modern world is so dynamic, the competition is fierce, and the customers are so spoiled that if it takes more than 20 seconds for a website to load, they immediately look for an alternative, opening a competitor's website in the new tab of their browser. That's why the Domino's Pizza Russia internet business must always be available to its customers, provide the best services, and deliver the tastiest pizza as quickly as possible.
DDoS attacks in industries such as fast food are organized mainly for extortion purposes and to fight competition. There is also a ton of commercial orders for DDoS attacks on the Internet. Many businesses are forced to struggle for their existence and ready to use almost any methods to to take out competitors of their way and earn a larger market share.
Qrator Labs has been working with Domino's Pizza Russia for more than three years now, ensuring sustainable development of the client’s business in Russia and providing protection against DDoS attacks. "We chose Qrator Labs because of the efficiency of the protection technology offered, advantageous rates, simplicity of connection to the service, and the highest level of technical support," says Konstantin Baev, Head of Information Technology Department of Domino's Pizza Russia.
Qrator Labs experts helped Domino's Pizza Russia neutralize eight DDoS attack incidents, including application layer attacks, with a total duration of over 60 hours.
"In the online sales and fast food industries, orders are placed at any time of the day; thus, we have to interact with the customers almost 24 hours a day to ensure the highest quality of our services. Our information technology infrastructure is constantly expanding, and we must ensure its continuous operation. For 3 years of cooperation with Qrator Labs, not a single DDoS attack has affected our business. The Qrator Labs network instantly mitigates all DDoS attacks so that they go as unnoticed as possible for us. We would also like to note the highest level of technical support and skills that the company's network engineers possess. The response time and request processing speed meet our rigorous requirements," adds Konstantin Baev.
"According to our estimates, the total number of DDoS attacks in 2019 has increased by about 1.5 times, including the fast-food online ordering industry, which is rapidly developing and targeted more often by attackers. Constantly improving our unique filtering algorithms we help Domino's Pizza Russia manage traffic and provide customers with comfortable ordering online without any interruptions in the service. The Qrator network quickly and efficiently responds to the new types of threats in automatic mode and serves as a reliable foundation for building an infrastructure resistant to any external influences," says Alexander Lyamin, Founder and CEO of Qrator Labs.

One day Qrator.net took us for DDoS protection, and then we forgot about DDoSers forever.

Xakep.ru is the premier Russian portal dedicated to information security. Such content as research studies, analytics, coding and hacking manuals, hacker software collections, and web service reviews is published daily on the Xakep.ru site so that community members can stay up-to-date concerning the latest news and IT events. More than 700,000 unique users visit Xakep.ru each month. They not only read content on the web, but they also download it through a mobile app onto their tablets or smartphones. In 2019, Xakep.ru went even further and founded an English-language project, Hackmag.com, since it plans to gradually transform itself from just a Russian-language resource to a global educational platform.
Given the popularity of the portal, it must be ensured that users can access content at any time of the day. This means that the resource must be protected from all attacks that may cause a service outage. The site management already expressed a concern about their platform's security back in 2012, when the speed of DDoS attacks began to grow exponentially and exceeded 100 Gb/s. At that time Xakep.ru suffered several large DDoS attacks. The site was hosted on the company’s own hardware, and the constant downtimes created a huge problem for users, not to mention the resource administrators, who had to manually deal with the attacks.
That was when the editors of the portal decided to interview the founder of Qrator Labs, Aleksandr Lyamin, and, according to Xakep.ru founder Dmitry Agarunov, “he demonstrated that he and his team were rather experienced engineers.” Dmitry Agarunov commented: “It was clear that the Qrator team are not simply theorists. Rather, they have real-world experience repelling Internet attacks. This is why we immediately decided to try out Qrator Labs as a provider of a DDoS neutralization solution.” It was only after connecting to the Qrator filtering network that the portal was able to resume normal functioning, and ever since then, over the past seven years, Xakep.ru has had no more problems with DDoS.
Over the course of the partnership the client has called the Qrator technical support several times. Each time, the engineers gave prompt answers to all questions, sending clear and intelligible instructions on how to solve the problem. Dmitry Agarunov noted: “We have never been left hanging between support levels or given the runaround in the form of non-responses such as ‘Thank you for your question!’. It really is a very high-quality and fast service. Sometimes issues were resolved in just 30 minutes.”
It was initially decided not to secure the English-language resource — the management believed that it would be an unlikely target of an attack while it was still small. However, the attackers thought differently, and several months after the foreign portal was launched, several massive DDoS attacks were carried out on it simultaneously. As a result, Qrator Labs was also tasked with protecting Hackmag.com, and since then it has been able to successfully neutralize all attacks against the platform.
Over the years of their partnership, Qrator Labs has managed to save tens of thousands of dollars for Xakep.ru. Dmitry Agarunov summarized the relationship as follows: “The site is not only our source of income, but it also stands for our public reputation as a publication about information security. Even though the lost profits that are caused by a few hours of downtime may not be significant, the reputational costs are huge and unmeasurable.”

In September 2015 the company decided to get protected by the traffic filtering network Qrator. Before Regnum used protection supplied by the Internet service provider, but the incident occurred, it showed that these means were not enough.

Several times we faced with DDoS-attacks. We didn’t want to experience it anymore and after a brief search connected to Qrator. Then there were few attacks, but we were told that by tech support just after the event. I can recommend!