Qrator.Radar

Radar.Qrator functions as the free online service analyzing the relations of the Autonomous systems operating in the Internet using the methods developed by the company. Communications of Autonomous systems are reflected in the website http://radar.qrator.net in a visual form and also the forecast for change of the used communications when changing policy of routing is given. Within development of the portal implementation of the interface of design which will allow telecom operators to estimate influence of adding of new connections on the Autonomous system which is already functioning or only projected is planned. This mathematical model of forecasting will help to avoid errors at design of networks which effects can be measured by tens of thousands of lost dollars.

In addition, Radar.Qrator also makes monitoring of security risks at the level of interdomain routing and reveals network vulnerabilities which malefactors for generation of large volumes of harmful traffic can use. In plans – creation of the warning system in real time about the arising anomalies which can have considerable influence on global availability of network resources. In particular, can lead to loss of considerable volumes of traffic or its interception and the analysis by malefactors according to the scheme MITM (Man In The Middle) for the subsequent attack on Internet resources.

When using the QRATOR system all user traffic passes through filtrational network, is checked and redirected on the client's server. Requests from "bots" are discarded on the basis of signatures of the attacks, heuristic, statistical analysis and black lists. Time of training of filters averages 30 minutes.

From advantages of a system it should be noted effectiveness of the solution (less than 5% of false operations in the course of DDoS attack reflection) which is reached by the analysis of traffic at the level of the application, a possibility of increase in capacity without loss of efficiency of filtering.

History and statistics

2015: Qrator Radar fixes over 5000 route leaks

Qrator Labs specializing in counteraction to DDoS attacks fixes on the Internet over five thousand of "leakages of routes" (route leaks) — errors in work of a global system of routing of BGP affecting quality of work of Internet services (data of May, 2015).

On the Internet the mechanisms participating in work of a chain "user service" happen two types: local (for example, the communication channel has accurate geographical localization and is in an area of responsibility of strictly certain participant of this chain) and distributed. An example of the distributed mechanism is the global system of routing in which all networks of the Internet participate. An example of the distributed mechanism of violation of quality - so-called, "leakages of routes".

The scale of the phenomenon is huge: Qrator Labs observes every second over 5000 such incidents on the scale of all Internet. They can have very different lifetime - from several minutes to several years.

Most often the phenomenon of route leaks is associated with deliberate activity from hackers or local regulators in the different countries. However in reality an overwhelming part of leaks is connected with errors of routing or an incorrect configuration and is result of simple human errors. On the second place on influence - policy of regulators as it was in the known case of blocking of YouTube in Pakistan in 2008. On the third – actions of malefactors (hijacking/"stealings of networks").

Increase in number of failures, losses of traffic and significant degradation of communication quality is a consequence of route leaks. As a result of such leak both transit operators, and consumers of service lose (and, so indirectly and service). However it is not possible to estimate the actual extent of damage, it can vary from one ruble to millions of dollars if mentioned there are large financial institutions.

There is a set of both paid, and free tools for identification of problems and also it is a lot of researches of scenarios of their emergence. Using a monitoring system of global routing of Qrator Radar the owner of Internet service can obtain the detailed information on traffic transits, "places of leak" and also on affected autonomous system.

2014: The websites of the Russian media underwent DDoS attacks which managed to be neutralized, thanks to service of traffic filtering Qrator

30 yanvarye of 2014 on the website of the Vedomosti newspaper DDoS attack, traffic volumes in which reached 1.2 Gbit/sec., was made. Its peak fell on midnight from 28 for January 29 when on the website addresses from the botnet consisting of six thousand bots, mainly with the Russian IP addresses began to arrive. Then the nature of the attack on the website of Vedomosti changed: DNS servers of the edition were attacked as a result of which they stopped working. So all appeals to domain name of vedomosti.ru ceased to reach the Web server. DNS servers are responsible for redirection of requests on domain names for servers to the IP addresses. Domain names were thought up for convenience of people, machines communicate to the digital IP addresses.

Thanks to Qrator.net technologies, specialists of Vedomosti managed to neutralize the attack and to provide availability of the website. Specialists of Qrator redirected traffic on the network of filtering and also provided to publishing house the DNS servers. Unfortunately, updating of records about DNS servers in network takes several hours, at this time the website could be unavailable to some users.

2013

For January, 2014 more than 200 companies use Qrator service. For 2013 Qrator reflected 5786 DDoS attacks on the Russian websites. The number of such attacks in a year, as of the III quarter 2013, grew by 34%.

For 2013 the Qrator Labs company using own service of the same name neutralized 6,644 DDoS attacks. The previous year this digit made 3,749. Growth is caused both by increase in number of clients of Qrator Labs, and growth of activity of cybercriminals in general.

In comparison with the previous 2012, in 2013 the maximum number of the attacks in day neutralized by network of traffic filtering Qrator increased from 73 up to 151.

The maximum size of the botnet involved in the attack grew from 207,401 to 243,247 machines. Also the share of the Spoofing-attacks – from 43.05% increased to 57.97%. These are the attacks in which instead of the IP address of the real user false is substituted.

The maximum duration of the attack was reduced from 83 days in 2012 to 22 days in 2013, and the level of average availability of WEB RESOURCES of the companies using services of Qrator network grew from 99.71% to 99.83%.

According to Qrator Labs, against the background of the noticeable growth of "intellectualization" of the botnets imitating behavior of the ordinary user the number of the high-speed attacks like SYN-flood also significantly grew.

The number of the attacks in 2013 increased also on average by one client of Qrator network. Such trend was already observed in 2012 in comparison with 2011, however in 2013 growth rates increased twice – from 17% to 34%.

From March to October, 2013 the overwhelming number of the attacks was made using DNS Amplification. These are the attacks when the malefactor sends a request (usually short to several byte) to vulnerable DNS servers which respond to the request already many times with packets, big by the size. If when sending requests to use the address of the computer of the victim (ip spoofing) as the initial IP address, then vulnerable DNS servers will send unnecessary packets to this computer until completely paralyze its work. Often infrastructure of provider whom the victim uses appears subject to such attack. Assaults of this kind were committed last year as against clients of large operators, and small providers of hosting services.

From October to December showed activity large a bot network, integrating more than 700 thousand computers zombies which was used for attack mainly on the Russian banks of the average size. This activity matched actions of the Central Bank of the Russian Federation for revocation of licenses of a number of banks.

In December of the 2013th the number of the attacks of c began to grow at use of NTP Amplification technology. Such attacks by the principle of the organization are similar to DNS Amplification, but instead of DNS servers malefactors use time synchronization servers - NTP. Increase in number of similar incidents continues also in the first two months 2014.