computer networking A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections ar ...

, ingress filtering is a technique used to ensure that incoming packets are actually from the networks from which they claim to originate. This can be used as a countermeasure against various spoofing attacks where the attacker's packets contain fake

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

es. Spoofing is often used in

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conn ...

s, and mitigating these is a primary application of ingress filtering.

Problem

Networks receive packets from other networks. Normally a packet will contain the

of the computer that originally sent it. This allows devices in the receiving network to know where it came from, allowing a reply to be routed back (amongst other things), except when IP addresses are used through a proxy or a spoofed IP address, which does not pinpoint a specific user within that pool of users. A sender IP address can be faked ( spoofed), characterising a spoofing attack. This disguises the origin of packets sent, for example in a

. The same holds true for proxies, although in a different manner than IP spoofing.

Potential solutions

One potential solution involves implementing the use of intermediate Internet gateways (i.e., those servers connecting disparate networks along the path followed by any given packet) filtering or denying any packet deemed to be illegitimate. The gateway processing the packet might simply ignore the packet completely, or where possible, it might send a packet back to the sender relaying a message that the illegitimate packet has been denied. Host intrusion prevention systems (HIPS) are one example of technical engineering applications that help to identify, prevent and/or deter unwanted, unsuspected and/or suspicious events and intrusions. Any router that implements ingress filtering checks the source IP field of IP packets it receives, and drops packets if the packets don't have an IP address in the IP address block to which the interface is connected. This may not be possible if the end host is multi-homed and also sends transit network traffic. In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from the originating IP address(es). If the end host is a stub network or host, the router needs to filter all IP packets that have, as the source IP, private addresses (RFC 1918), bogon addresses or addresses that do not have the same network address as the interface.

Networks

''Network ingress filtering'' is a packet filtering technique used by many

Internet service provider An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privatel ...

s to try to prevent

IP address spoofing In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system. Background The basic protocol for sending ...

of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source. Network ingress filtering makes it much easier to track

s to their source(s) so they can be fixed. Dr. David A. Wheeler
"What laws should be created to improve computer security?"
Network ingress filtering is a ''good neighbor'' policy that relies on cooperation between ISPs for their mutual benefit. The best current practices for network ingress filtering are documented by the

Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and ...

in BCP 38 and 84, which are defined by RFC 2827 and RFC 3704, respectively. BCP 84 recommends that upstream providers of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address that is not allocated to that customer. There are many possible ways of implementing this policy; one common mechanism is to enable reverse-path forwarding on links to customers, which will indirectly apply this policy based on the provider's route filtering of their customers' route announcements.

Deployment

As of 2012, one report suggests that, contrary to general opinion about the lack of BCP 38 deployment, some 80% of the Internet (by various measures) were already applying anti-spoofing packet filtering in their networks. At least one computer security expert is in favor of passing a law requiring 100% of all ISPs to implement network ingress filtering as defined in IETF BCP 38. In the US, presumably the FCC would enforce this law.

References

External links