Connection: BGP

If your organization has its own autonomous system (AS), you can connect to Qrator Labs via BGP and advertise your prefixes. Thus, the Qrator Labs autonomous system will act as a transit AS, through which all traffic associated with the advertised prefixes will pass.

The Qrator Labs network is connected to several Tier 1 ISPs and advertises your prefixes to each of them. Each ISP will choose the route that goes through the Qrator Labs router closest to it so that traffic from anywhere in the world will reach you with minimum latency. Any traffic that Qrator Labs recognizes as an attack will not be sent to your network.

To connect to Qrator Labs via BGP:

  1. Add prefixes.
  2. Set up a channel to Qrator Labs
  3. Set up BGP peering with Qrator Labs.
  4. Describe the service map.
  5. Advertise prefixes.

Adding prefixes

Specify in advance in the Prefixes section of your dashboard each prefix that you are going to advertise and the corresponding number of your AS, which will be the origin for this prefix. The prefix must belong to that AS according to the Internet registrar database.

To confirm the action of adding a prefix, Qrator Labs will send an email with a link to the address listed as tech-c for the corresponding AS.

Setting up a channel to Qrator Labs

A BGP session requires a point-to-point channel between your network and the Qrator Labs network. Virtual tunnels such as GRE, IPIP or MPLS L2 VPN are most often convenient for this. In some cases, other methods are available, such as dedicated channels or physical switching within the same data center.

BGP peering is organized over such a channel. So, selected prefixes from your AS will be advertised only to the Qrator Labs network.

This is important because you need to ensure that all inbound traffic related to the advertised prefixes passes through Qrator Labs. Note that if you advertise prefixes to ISPs directly, an attacker will be able to direct a DDoS attack through another route, bypassing the Qrator Labs network.

Even if the ISP advertises a route to a supernet (less specific route) and Qrator Labs advertises a route to the subnet (more specific route), there would still be the risk of accidental or targeted traffic to the subnet through the ISP, bypassing the Qrator Labs network.

To ensure fault tolerance and reliability, it is recommended to create two or more channels to Qrator Labs. For example, these may be two different GRE tunnels through different providers. For its part, Qrator Labs also pays great attention to redundancy. So even if part of the hardware goes down or fails, AS as a whole will remain available and be able to keep your site available and protected through another channel.

Setting up BGP peering with Qrator Labs

After creating a point-to-point channel between your network and the Qrator Labs network, configure your hardware to set up a BGP session over this channel.

For step-by-step instructions, including configuration examples for popular hardware manufacturers, contact Qrator Labs support.

Service map description

When analyzing BGP traffic, traffic scrubbing centers are guided by the information provided by the customer in the IP addresses and Ports and protocols sections of the dashboard. This information is collectively referred to as service map and describes the direction and volume of legitimate traffic expected by the customer.

To start describing traffic, create one or more services in Services. Then, for each service, define a list of IP addresses (IP addresses), ports and protocols (Ports and protocols). All inbound and outbound traffic that does not match what is described in the service map will be discarded.

Advertising prefixes

The immediate start of the advertisement of your prefixes takes place within BGP and does not require action in the personal dashboard. The Qrator Labs network will begin advertising your prefixes as soon as your hardware starts advertising them to the Qrator Labs autonomous system. If you pause the advertising of any prefix, Qrator Labs will immediately suspend its advertising and also stop passing traffic to this prefix.

Note that Qrator Labs does not handle BGP attribute community when advertising prefixes.

expand_less