To meet Wikipedia's quality standards and make it more accessible to a general audience, this article may require cleanup. The introduction to this article provides insufficient context for those unfamiliar with the subject matter. Please help Wikipedia by improving the introduction according to the guidelines laid out at Wikipedia:Guide to layout. You can discuss the issue on the talk page.
In computer networking, the term Ingress filtering is the process of filtering out packets originating from outside the network, but which have a source address indicating origination from inside the network. This prevents an outside attacker spoofing the address of an internal machine. This is normally done by a firewall or a gateway device. A computer network is a system for communication between computers. ... In computer networking, the term Internet Protocol spoofing (IP spoofing) is the creation of IP packets with a forged (spoofed) source IP address. ... In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction. ...
While this is by no means the only way to implement an ingressfilter, it is the one proposed by RFC 2827 [1], and in some sense the most deterministic one.
However, Ingress Access Lists are typically maintained manually; for example, forgetting to have the list updated at the ISPs if the set of prefixes changes (e.g., as a result of multihoming) might lead to discarding the packets if they do not pass the ingressfilter.
However, unless ingressfiltering (or at least, a limited subset of it) has been deployed at every border (towards the customers, peers and upstreams) -- blocking the use of your own addresses as source addresses -- the attackers may be able to circumvent the protections of the infrastructure gear.
Feeds |
Contact