Wednesday

How Your Internet is Filtered - TCP/IP Header Filtering

Following on from my previous post on how countries (and indeed companies, schools etc) filter your internet access - we'll move to the next general method - TCP/IP header filtering. This method is actually the simplest, cheapest and the easiest to implement.

The concept relies on the fact that an IP packet consists of two distinct parts - the header and the data carried by the packet. IP is actually an a connectionless protocol which means that it does not contain any information on the state of a connection. Each datagram is independent and as such must contain all the information in the header for it to be delivered independently.



So without getting too technical, the header in each individual IP segment contains the source and destination IP addresses required for the packet to be delivered. The devices which most rely on this header are the routers and switches which relay information across the internet and internal networks. A router will inspect each header for every packet that passes through it in order to send it onwards to its destination.

These packets contain you web requests and surfing data and so can be used to control your access to the internet.  So a very simple method of internet filtering, is to merely instruct gateway routers to drop all packets destined for a specific IP address. So for instance if your only concern was to block access to Facebook, then all you would have had to do is find out all the IP addresses of Facebook servers and add these to a blacklist on the router.

This actually works very well, but it can also cause problems in some cases as all services will be blocked on that IP address. For instance if you want to send an email which was directed to that server it would also be blocked. This rather blunt method can be refined slightly by specifying a port as well as an IP address (normally the default port for most web servers - 80).

There are other issues as many countries have also discovered if you block IP addresses like this. The problem is that it's not quite so simple that one web site will have one IP address. In fact in these days of distributed computing you'll find that services and web sites will be spread across multiple IP addresses and servers. So if you try and block an IP address related to YouTube for instance, you'll also end up breaking other Google applications such as analytics, webmaster tools which was exactly happened earlier this year in Turkey.

The other major problem of course is that IP addresses change, they are not always going to stay associated with the same web sites. One minute you can be blocking one web site, but a week later you might find you're blocking something completely different on that IP address (whilst unblocking the original website).


So how can you bypass this particular mode of internet filtering?

Well it's actually quite easy, depending on how it's set up. The key is that the destination IP address is the only thing that is being checked so if you change this then the packet will be allowed through. This is one of the only circumstances where you can use a standard proxy to beat internet filtering, because if you connect to a proxy server that will be the destination in the TCP/IP header. So unless the proxy server IP address is in the blocked list on the router it will acually be allowed through.  So if you find a free web proxy online and just surf through that then your web surfing should be unfiltered.

There is one other thing to remember when using this method and why you'll probably be restricted to surfing using a web proxy in a frame or window.   Most companies and education networks will add another setting  to further reject all traffic on port 80 unless it is directed through the approved proxy server.  This adds another layer of defence to stop people just routinely using an alternative proxy server and ensuring they can also filter URLs on their own proxies.  This will be configured on a gateway router or the firewall protecting the internal network from the internet.   To bypass this you either have to surf out through another port or tunnel through  the approved proxy as Identity Cloaker is able to do.

If you're setting up your own external proxy or VPN then consider using Port 443 which will rarely be blocked completely as it is needed for HTTPS sessions.

0 comments: