SafetyDetectives spoke with Alexander Lyamin, Founder and CEO of Qrator Labs. We spoke about how he started the company, what it’s like to operate with billion dollar companies, and how Qrator Labs helps prevent or mitigate DDoS attacks.
Thank you for taking the time to speak with me, can you tell me what motivated you to start Qrator Labs?
Qrator Labs started in a natural way as a Moscow State University project. Along with my cofounders, we were looking for a way to solve the problem of DDoS attacks. The nature, mechanics, and how to effectively mitigate them, and the project was really successful.
I’m grateful for the University management that gave us a place for our equipment and to use the University infrastructure for our research. However, I think it was on June 21st or 22nd, 2010, that the University was hit by a DDoS attack that was explicitly over the university network capabilities.
The University management approached me and said that the timing was lucky since it was midterms and no one was studying. However, they can’t afford for the University network to go down when there are students in class, and since we weren’t attracting any federal funding, they kindly asked us to move the project elsewhere.
At the same time, I worked for different companies as a consultant to build distributed internet applications. I was able to take money from those projects as funding and started the company. In September 2010, we launched our first segment of our network and had our first customers.
We started thinking about how we could prove that our network was working and was better than the University infrastructure. Then we were approached by a Russian version of Slashdot, which is basically a Russian IT community, and they became the first customer. And we instantly had pretty significant coverage from relevant media. So, it took two months to launch the network and find our first clients, and this is how we stopped being a University project and became a business.
What are some things you learned during the startup stages of Qrator Labs?
Things were very stressful at the beginning. During the two years that we were a University project, we helped any business with a DDoS problem that was operating in the legal field, like real estate developers, mass media, banks, and e-commerce resources. We always declined companies that weren’t compatible with the University, like creepy TV shows on national TV.
So, for two years that we worked for free, we accumulated more than 600 successful cases. And I was thinking, hey, it’s kind of interesting. So, we will probably have a 10 to 15% conversion ratio. Right? That sounds reasonable, and we will go self-sustainable in the six months. This was the initial business plan. Oh boy, I was wrong. The actual conversion ratio was less – a little bit less than 1%. We went to zero buoyancy in one year instead of six months. But this was great. It’s real. All right.
But after that, we grew naturally, and in the past five years, we’ve been growing around 40% a year, which is also quite healthy and allows us to take more time hiring great people instead of people that we need right now. That’s very important for our company culture.
Also, an interesting side note in hindsight. When I was just starting the company, I met someone at a wedding party in San Francisco. from a venture capital company in New York, and he told me, “Sasha, bootstrap while you can. Don’t take VC money.” And I remember that it really, really had an influence on our decision. We’re still bootstrapping, and I still don’t own a car. I’m still walking. Thank God, Prague has a really good transportation system, but I do still walk.
We are still privately held and have healthy growth, and we’re competing with multi-billion dollar companies and doing it, I’d say quite well. And for me personally, it’s quite a sport. It’s like a David versus Goliath. If you know what I’m talking about. I understand that it’s scary. It’s really scary. But it’s also sweet. And this is why I do enjoy my job.
How do you stay competitive with these multi-billion dollar companies?
One word — product.
To elaborate a little bit, the product is a function of our company culture. And while the company culture might not be verbalized, it’s still very, very prominent in our company and we keep this spirit of the university lab. This is why we call ourselves Qrator (“curator”) Labs.
I decided to launch the company in June, and in August, Kaspersky Labs launched its own DDoS mitigation product. For me, at this point in time, it was despair because, you know, Kaspersky right big brand, big contracts instantly, immeasurable resources compared to our five-person operation. But still, we were getting the better product. I believe conducted research on the Russian market in 2015, and we were ranked as the number one product in the region, outperforming Rostelecom, Kaspersky, and other players in the market.
One of the things that we got right back then, was done strangely enough due to the founder’s paradox mistake, which is where every founder usually over-appreciates his own products. And he thinks, oh, boy, everyone needs that, or everyone will buy that. So, we were targeting small businesses, like really small businesses, like flower shops by the Metro station or custom cedar wood boxes, or whatever. The idea Humans are amazing, but machines are exact and precise. If you program them correctly, they do way better than humans. So, with this in mind, we were determined that our product would be fully automated. I mean that we automatically detected and mitigated DDoS problems for all our customers.
With the competition’s products, users had to specifically login to the Control Panel and click an “I’m under attack” button so the filters would kick in. Then you have to configure rules and things like that manually. This doesn’t work well for small and medium businesses; it just doesn’t work. People don’t have the same expertise, and, in the end, they pay you money for your expertise.
What is your flagship product?
We do what people call DDoS mitigation, but we call it application availability because many other factors can cause your application to go down. Routing issues, DNS issues, certificate issues. What we do with our main product is that we keep our customer applications online no matter what.
We also have a BGP Anycast that announces one IP address from multiple locations. It’s quite an easy concept to understand, but it’s really, really, really hard to master. Because the internet is usually asymmetrical, the ingress paths for your packet in egress class will most likely differ approximately 80% of the time. And to build this network is actually quite a challenge. You have to understand protocols that manage this global BGP routing, more than just know, and you have to have a visceral understanding of how BGP works. And when building our network, we had a challenge; we had to understand exactly what paths the packet would travel in order to land on the edge of our infrastructure. So we can predict with a mathematical model how the traffic will distribute in the case of an attack.
We wanted to take the data from CAIDA, a website that does a lot of BGP research, and improve it in our own way. We thought it would be a weekend project, but it ended up taking over three years. What we developed was a way to predict the reverse path, which no one else was doing. It was an extremely complex mathematical problem, and we solved it, so we could build a more complex network.
How does Qrator Labs prevent or lessen the impact of DDoS attacks?
We observe all the traffic to our customers, starting from the basic packet, the quantum of packet switch network. Then we restructure these packets in TCP sessions and user experiences and do statistical analysis and pattern matching. People call it machine learning, but I would say it’s more like statistical analysis. Then, using patterns from the traffic to learn from a particular customer and all other customers on our network, we can detect and prevent malicious traffic from reaching customers’ applications – essentially keeping them online, no matter what.
It doesn’t require customer interaction. As I mentioned, you don’t have to turn on attack protection mode.