computer networking A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ma ...

, ingress filtering is a technique used to ensure that incoming packets are actually from the networks from which they claim to originate. This can be used as a

countermeasure A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...

against various

spoofing attack In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage. Internet Spoofing an ...

s where the attacker's packets contain fake

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

es. Spoofing is often used in

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

s, and mitigating these is a primary application of ingress filtering.

Problem

Networks receive packets from other networks. Normally a packet will contain the

of the computer that originally sent it. This allows devices in the receiving network to know where it came from, allowing a reply to be routed back (amongst other things), except when IP addresses are used through a proxy or a spoofed IP address, which does not pinpoint a specific user within that pool of users. A sender IP address can be faked ( spoofed), characterising a

. This disguises the origin of packets sent, for example in a

. The same holds true for proxies, although in a different manner than IP spoofing.

Potential solutions

One potential solution involves implementing the use of intermediate Internet gateways (i.e., those servers connecting disparate networks along the path followed by any given packet) filtering or denying any packet deemed to be illegitimate. The gateway processing the packet might simply ignore the packet completely, or where possible, it might send a packet back to the sender relaying a message that the illegitimate packet has been denied. Host intrusion prevention systems (HIPS) are one example of technical engineering applications that help to identify, prevent and/or deter unwanted, unsuspected and/or suspicious events and intrusions. Any router that implements ingress filtering checks the source IP field of IP packets it receives, and drops packets if the packets don't have an IP address in the IP address block to which the interface is connected. This may not be possible if the end host is

multi-homed Multihoming is the practice of connecting a host or a computer network to more than one network. This can be done in order to increase reliability or performance. A typical host or end-user network is connected to just one network. Connecting t ...

and also sends transit network traffic. In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from the originating IP address(es). If the end host is a stub network or host, the router needs to filter all IP packets that have, as the source IP, private addresses (RFC 1918), bogon addresses or addresses that do not have the same network address as the interface.

Networks

''Network ingress filtering'' is a packet filtering technique used by many

Internet service provider An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...

s to try to prevent

IP address spoofing In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system. Background The basic protocol for sending ...

of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source. Network ingress filtering makes it much easier to track

s to their source(s) so they can be fixed. Dr. David A. Wheeler
"What laws should be created to improve computer security?"
Network ingress filtering is a ''good neighbor'' policy that relies on cooperation between ISPs for their mutual benefit. The

best current practice A Best Current Practice (BCP) is a ''de facto'' level of performance in engineering and information technology. It is more flexible than a standard, since techniques and tools are continually evolving. The Internet Engineering Task Force publish ...

s for network ingress filtering are documented by the

Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

in BCP 38 and 84, which are defined by RFC 2827 and RFC 3704, respectively. BCP 84 recommends that

upstream provider Upstream may refer to: * Upstream (bioprocess) * ''Upstream'' (film), a 1927 film by John Ford * Upstream (networking) * ''Upstream'' (newspaper), a newspaper covering the oil and gas industry * Upstream (petroleum industry) * Upstream (software ...

s of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address that is not allocated to that customer. There are many possible ways of implementing this policy; one common mechanism is to enable

reverse-path forwarding Reverse-path forwarding (RPF) is a technique used in modern routers for the purposes of ensuring loop-free forwarding of multicast packets in multicast routing and to help prevent IP address spoofing in unicast routing. In standard unicast IP r ...

on links to customers, which will indirectly apply this policy based on the provider's

route filtering In the context of network routing, route filtering is the process by which certain routes are not considered for inclusion in the local route database, or not advertised to one's neighbours. Route filtering is particularly important for the Borde ...

of their customers'

route announcement Route or routes may refer to: * Route (gridiron football), a path run by a wide receiver * route (command), a program used to configure the routing table * Route, County Antrim, an area in Northern Ireland * ''The Route'', a 2013 Ugandan film * Ro ...

Deployment

As of 2012, one report suggests that, contrary to general opinion about the lack of BCP 38 deployment, some 80% of the Internet (by various measures) were already applying anti-spoofing packet filtering in their networks. At least one computer security expert is in favor of passing a law requiring 100% of all ISPs to implement network ingress filtering as defined in IETF BCP 38. In the US, presumably the

FCC The Federal Communications Commission (FCC) is an independent agency of the United States federal government that regulates communications by radio, television, wire, satellite, and cable across the United States. The FCC maintains jurisdictio ...

would enforce this law.

References

External links