Connection: Ingress filtering

To use ingress filtering from Qrator Labs, you have to be a local Internet registry (LIR) and have your own autonomous system (AS). Connecting this service is possible for network prefixes of at least class C (/24).

To start using Ingress filtering:

Add prefixes

You can add prefixes in two steps.

First, describe the entire address space of the transit network that you want to protect and confirm the right to manage it. To do this, go to Prefixes on the Qrator tab of your personal dashboard and specify one or more network prefixes. It often makes sense to list directly the networks you manage, and not to divide them into smaller subnets. For each prefix, enter the number of your AS, the origin of the prefix. The prefix must belong to that AS according to the Internet registrar's database. To confirm the action of adding the prefix, Qrator Labs will send an email with a link to the address specified as tech-c for the corresponding AS.

Then add the confirmed networks or their subnets to Prefixes in the Ingress tab of the dashboard. At this point, you can use as small subnets of your networks as you like, for which you will be able to configure filtering policies later.

Setting up a channel to Qrator Labs

The channel between your autonomous system and Qrator Labs can be established in a variety of ways, including tunnels, physical junctions, or cross connects in data centers. The possible connection methods depend on the specific providers and data centers with which your transit network is connected.

The recommended connection method is to connect directly from your transit network to Qrator Labs using a dedicated ISP link or data center crossover. Consult the technical support team to determine the best connection method to protect your network.

Note that Ingress filtering works with inbound traffic, and outbound traffic is not required to be routed through Qrator Labs; see Differences from endpoint protection. In most cases, inbound traffic should be routed through the Qrator Labs network to take advantage of ingress filtering and make outbound traffic bypass the Qrator Labs network to ensure maximum speed for it.

Setting up filtering policies

Filtering policies are sets of limits applied to incoming traffic. Filtering policies are configured through the Ingress tab of the dashboard. They are in a many-to-many relationship with the prefixes you specify. This gives you the flexibility to customize filtering for your needs.


One possible approach to setting up filtering policies is to develop multiple filtering policies suitable for end-user networks with different traffic volumes, and assign the desired policies to the prefixes of each network.

When setting limits, it is recommended that you base your limits on the amount of legitimate traffic that passes through your network at normal times. The best way to express these volumes as a set of policies depends on the nature of the services on your end-user networks, the constancy or seasonality of their traffic, and the threat model. You can consult with Qrator Labs technical support experts to find the optimal ingress filtering policies suitable for your transit network.