Ingress filter

from Wikipedia, the free encyclopedia

In general terms, an ingress filter protects networks from undesired incoming data traffic. In current parlance, the ingress filter specifically means the blocking of Internet packets with falsified or incorrect sender addresses.

functionality

An ingress filter implemented on a router or firewall prevents IP packets with a falsified sender address from reaching the center from the outer edge of a network. The aim is therefore to intercept packets before they enter the actual network. The prerequisite is that routers or firewalls know all external networks that they connect to the center. This precondition is fulfilled if the routing table is set up correctly. An ingress filter only allows IP packets with a valid sender address through. All others are discarded. A similar function can be achieved with unicast reverse path forwarding functionality.

Example: A service provider connects the network 171.17.128.0/18 to the Internet. He knows that all incoming IP packets from this external network must have a sender address from this address range. If a packet with the sender address 192.168.130.7, for example, now arrives from this network, either a configuration error or an attack involving falsification of the IP sender address has occurred. In both cases it makes sense to discard this packet before forwarding it.

Facility

Ingress filters can be set up statically by manually adding all of the company's external networks to an access list, or they can be generated automatically from the routing table ( reverse path filtering ). Incorrectly configured filters can lead to legitimate IP packets being blocked.

The OpenBSD firewall , pf , allows such a filter to be easily set up. With this configuration line, packets with a falsified sender address on the network interface em0 are discarded: 

antispoof for em0

restrictions

Ingress filters offer limited protection. They are completely ineffective against attacks with a valid IP address, as is the case with fake IP addresses from the attacker's subnet. If, for example, an attack originates from the IP address 171.17.130.5, packets with the falsified IP address 171.17.130.99 would pass the ingress filter without objection. Because of such restrictions and the complex operation in some cases, ingress filters are rarely used in practice. However, there are also types of attack against which ingress filters offer effective protection. One example of this is the DNS Amplification Attack .

The reverse route, i.e. from the network center to the outside area, cannot generally be secured with an ingress filter, since it is not possible to differentiate between valid and invalid sender addresses. It is, however, possible to use filters to prevent the special case of packets arriving from the network center with your own external sender address.

Depending on the platform on which packet filters are used, they are processed in hardware or software based by the device CPU. In the case of software-based processing, latency times can occur, ie permissible packets are delayed due to processing. In the case of hardware-based packet filters, the decision as to whether or not they are permitted is made in quasi real time. However, the size of the packet filter entries processed in hardware can be limited and is described in the manufacturer's specifications.

literature

  • RFC 2827 P. Ferguson: BCP 38 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing (English)
  • RFC 3704 F. Baker: BCP 84 Ingress Filtering for Multihomed Networks (English)

Web links