Common IP Filtering Techniques

Route filtering

Through this process, certain routes are not considered for inclusion in the local route database or not announced. Filters can be applied at the routers, before the routes are announced (output filtering) or as soon as a route is learned (input filtering). There are different reasons for filtering:

  • To ensure that the use of private address space (RFC 1918) does not leak out into the global Internet, networks should block these prefixes in both their output and input filtering.
  • When a site is multihomed, announcing non-local routes to a neighbour different from the one it was learned from amounts to advertising the willingness to serve for transit. This is undesirable, unless suitable agreements are in place. You can avoid this issue by applying output filtering on these routes.
  • An ISP will typically perform input filtering on routes learned from a customer to restrict them to the addresses actually assigned to that customer. Doing so makes address hijacking more difficult. Similarly, an ISP will perform input filtering on routes learned from other ISPs to protect its customers from address hijacking.

In some cases, routers have insufficient amounts of main memory to hold the full global BGP table. By applying input filtering on prefix length (eliminating all routes for prefixes longer than a given value), on AS count, or on some combination of the two, the local route database is limited to a subset of the global table. This practice is not recommended, as it can cause sub-optimal routing or even communication failures with small networks, and frustrate the traffic-engineering efforts of one’s peers.

In the past, route filtering was also used to prevent IPv4 blocks that are not yet delegated by IANA, commonly called bogon address space. As IANA has depleted its available IPv4 address space, this practice is no longer needed.

Some networks are now blocking IPv4 prefixes that are being held at the Regional Internet Registries (RIR) and not yet delegated to any network. As RIRs delegate resources on a daily basis, this practice requires a daily update to the route filter. Unless a network has an automated and reliable tool to check the RIR databases, it is best not to perform this level of route filtering.

Firewall filtering

A firewall is a device, a set of devices, or a software application designed to permit or deny network transmissions based upon a set of rules to protect networks from unauthorized access while permitting legitimate traffic to pass. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions. The different types of firewalls that can be defined depending on where the communication is taking place, where the communication is intercepted, and the state that is being traced.

  • Network layer firewalls or packet filters operate at the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set defined by the administrator or applied by default. Modern firewalls can filter traffic based on many packet attributes such as source IP address, source port, destination IP address or port, or destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, of the source, and many other attributes.
  • Application layer firewalls work on the application level of the TCP/IP stack, intercepting all packets travelling to or from an application, dropping unwanted outside traffic from reaching protected machines, without acknowledgment to the sender. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.
  • Mandatory access control (MAC) filtering or sandboxing protect vulnerable services by allowing or denying access based on the MAC address of specific devices allowed to connect to a specific network.
  • Proxy servers or services can run on dedicated hardware devices or as software on a general-purpose machine, responding to input packets such as connection requests, while blocking other packets. Abuse of an internal system would not necessarily cause a security breach, although methods such as IP spoofing could transmit packets to a target network.
  • Network address translation (NAT) functionality allows hiding the IP addresses of protected devices by numbering them with addresses in the “private address range”, as defined in RFC 1918. This functionality offers a defence against network reconnaissance

Firewall filtering requires constant adjustments to reflect the latest security policies, threat conditions, and address holdings. Outdated policies such as blocking IPv6 by default, or blocking certain IP addresses that sends malicious traffic, or blocking a whole network/ISP/Country may need to be reviewed from time to time to ensure overall network visibility do not degrade as more and more traffic gets accidentally discarded.

Email filtering

Email filtering is the manual or automatic processing of incoming emails to organize them according to set criteria (topic, sender, etc) and removal of spam and computer viruses. The filters allow clean messages to be delivered to the user’s mailbox, while redirecting tainted messages for delivery to a quarantine application for the user’s review, or even ignore them. Some mail filters are able to edit messages during processing, for example deactivating URLs in email messages to remove the threat before users click. Although less common, some companies inspect outgoing email to oversee that their employees comply with law requirements.

Email filters operate through a variety of techniques from matching a regular expression, a keyword, or the sender email address. More advanced solutions use statistical document classification techniques, IP reputation, and complex image analysis algorithms to prevent messages from reaching protected mailboxes.

Email filtering becomes problematic when a blacklisted IP address is transferred to a new network. The new network may have the mail traffic from the blacklisted IP address blocked and will have to contact various blacklist maintainers to delist the address. APNIC will be able to provide assistance by confirming to the blocking parties that the blacklisted address has changed hands, as long as the transfer was properly registered in the APNIC Whois Database.

This information was compiled after reviewing the following sources: Wikipedia, SpamHaus, ReturnPath and MAAWG published documents.