Ingress filtering

Ingress filtering

In computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.

Contents

Problem

Networks receive packets from other networks. Normally a packet will contain the IP address of the computer that originally sent it. This allows devices in the receiving network to know where it came from, allowing a reply to be routed back (amongst other things).

However, a sender IP address can be faked ('spoofed'), characterising a Spoofing attack. This disguises the origin of packets sent, e.g., in a Denial-of-service attack.

Solution

Filtering a packet is when the packet is not processed normally, but is denied in some way. The computer processing the packet might simply ignore the packet completely, or where it is possible it might send a packet back to the sender saying the packet is denied.

In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from IP addresses of the originating computer.

In order to do ingress filtering, the network needs to know which IP addresses each of the networks it is connected to may send. This is not always possible. For instance, a network that has a single connection to the Internet has no way to know if a packet coming from that connection is spoofed or not.

Edge networks, whether multi-homed or not, usually have a limited number of address blocks in use. Such edge networks should filter packets leaving their networks, verifying that the source IP address in all packets is within the allocated address blocks. Enterprises, universities and others who run edge networks should be doing this. The purpose is to prevent computers on your network from spoofing (acting as another). Implementation for edge networks of egress packets in this way is very simple and should be done with access lists.

Networks

Network ingress filtering is a packet filtering technique used by many Internet service providers to try to prevent source address spoofing of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source.

Network ingress filtering is a "good neighbor" policy which relies on cooperation between ISPs for their mutual benefit.

The best current practice for network ingress filtering is documented by the Internet Engineering Task Force in BCP 38, which is currently defined by RFC 2827.

BCP 38 recommends that upstream providers of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address which is not allocated to that customer.

There are many possible ways of implementing this policy; one common mechanism is to enable reverse path forwarding on links to customers, which will indirectly apply this policy based on the provider's route filtering of their customers' route announcements.

See also

External links

  • RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
  • RFC 2827 (BCP 38)

Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Ingress — may refer to:*The act of entering. Antonym of egress. *A type of noise typically encountered when using coaxial cable *Ingress Bell (1834 1913), an English architect *Ingress filtering, a computer network packet filtering technique *Ingress… …   Wikipedia

  • Ingress Filter — Mit einem Ingress Filter werden, allgemein formuliert, Netze vor unerwünschtem Eingangsdatenverkehr geschützt. Im derzeitigen Sprachgebrauch ist mit Ingress Filter speziell das Abblocken von Internet Paketen mit gefälschten oder fehlerhaften… …   Deutsch Wikipedia

  • Ingress — Unter Ingress (engl. Eindringen) versteht man elektromagnetische Störungen, die in Koaxialkabeln durch Sendeanlagen, Haushaltsgeräte, Schaltnetzteile usw. entstehen. Die Störungen treten vor allem dann auf, wenn das Kabel oder dessen Schirmung… …   Deutsch Wikipedia

  • Egress filtering — In computer networking, egress filtering is a method of filtering electronic traffic that contributes to the security of a network and therefore makes it less prone to attacks from crackers.This method of filtering prevents crackers from using a… …   Wikipedia

  • Forwarding Information Base — A Forwarding Information Base (FIB), also known as a forwarding table, is most commonly used in network bridging, routing, and similar functions to find the proper interface to which the input interface should send a packet to be transmitted by… …   Wikipedia

  • IP traceback — is a name given to any method for reliably determining the origin of a packet on the Internet. The datagram nature of the Internet makes it difficult to determine the originating host of a packet – the source id supplied in an IP packet can be… …   Wikipedia

  • Smurf attack — The Smurf attack is a way of generating a lot of computer network traffic to a victim host. That is, it is a type of denial of service attack. Specifically, it floods a target system via spoofed broadcast ping messages.In such an attack, a… …   Wikipedia

  • Application Gateway — Eine externe (Netzwerk oder Hardware ) Firewall (von engl. firewall [ˈfaɪəwɔːl] „die Brandwand“) stellt eine kontrollierte Verbindung zwischen zwei Netzen her. Das könnten z. B. ein privates Netz (LAN) und das Internet (WAN) sein; möglich ist… …   Deutsch Wikipedia

  • Content-filter — Eine externe (Netzwerk oder Hardware ) Firewall (von engl. firewall [ˈfaɪəwɔːl] „die Brandwand“) stellt eine kontrollierte Verbindung zwischen zwei Netzen her. Das könnten z. B. ein privates Netz (LAN) und das Internet (WAN) sein; möglich ist… …   Deutsch Wikipedia

  • Hardware-Firewall — Eine externe (Netzwerk oder Hardware ) Firewall (von engl. firewall [ˈfaɪəwɔːl] „die Brandwand“) stellt eine kontrollierte Verbindung zwischen zwei Netzen her. Das könnten z. B. ein privates Netz (LAN) und das Internet (WAN) sein; möglich ist… …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”