Qrator Labs network architecture

The Qrator Labs distributed network is designed such that customers whose traffic passes through it can expect a high SLA even under heavy loads.

The network consists of several traffic scrubbing centers, which form one autonomous system (AS). Each center can operate independently of the others: incoming user traffic is analysed and, if deemed legitimate, is forwarded to the customer's network.

BGP Anycast technology is used to direct traffic to the nearest traffic scrubbing center. This means that any traffic scrubbing center can respond to a user request directed to the same IP address from the Qrator Labs network.

Also, through the use of BGP Anycast, routers through which user traffic on the Internet passes, prefer a route to an available traffic scrubbing center that is topologically closest to the user. It is with this center that the user will be able to exchange traffic with as quickly as possible.

Each traffic scrubbing center has a direct link to Tier-1 backbone providers. This ensures that the Qrator Labs network remains available even in case of failures at individual service providers.


Today the Qrator Labs network includes 14 traffic scrubbing centers in North America, Europe, Middle East, Asia, Russia and CIS. The total network capacity is over 3000 Gbps.

The average Qrator Labs customers' application availability in 2021 was 99,9875%. If availability in any month is less than the SLA promised in the tariff, the customer does not pay for that month.

Receiving traffic from the user

As part of the initial setup, the client, assisted by the Qrator Labs tech support team, makes the necessary settings to ensure that all traffic from users goes to the customer's network not directly, but via traffic scrubbing centers.

The specific steps required to configure traffic reception depend on the selected connection method. These steps are described in the relevant documentation.

Traffic analysis

The purpose of Qrator Labs is to send only legitimate user traffic (non-attack traffic) to the customer's network. To do this, Qrator Labs traffic scrubbing centers analyze traffic at all levels of the OSI/ISO network model.

To detect attacks, Qrator Labs uses behavioral, heuristic, and signature algorithms. Also, Qrator Labs automatically adjusts filtering methods using traffic pattern without DDoS attacks for training. This enables even application-layer attacks (L7 by the OSI/ISO model) that resemble the actions of regular users to be detected with high accuracy, and also allows you to distinguish DDoS attacks from increased visitor interest in a site.


The number of false positives during an attack does not exceed 5%.

The customer can access statistics on detected attacks in their personal dashboard. Attack statistics can also be retrieved via API. This allows integrating Qrator Labs with a monitoring system, the security operation center (SOC) or security information and event management (SIEM) to receive notifications in a customer-friendly format.

The customer can set up blacklists and whitelists that would influence on how traffic is handled. This can be done both in the personal dashboard and via API.

Sending traffic to the customer

Various technologies can be used to communicate with the customer's hardware, depending on what technical capabilities the customer has and what set of services he needs.

For more information about the different ways of setting up a channel between Qrator Labs and the customer, see Connection.

For many of the services provided by Qrator Labs, it is possible to balance or reserve connections to the customer's network. In this case, each traffic scrubbing center can independently (from the others) monitor the status of each client upstream to dynamically change the list of connections under use. For example, if a tunnel to one of the upstreams becomes unavailable from a particular region, the traffic scrubbing center in that region can automatically switch to a tunnel to another upstream to keep the resource available for users.