Ingress filtering is a method used by enterprises and internet service providers (ISPs) to prevent suspicious traffic from entering a network. When configured on an edge device such as a router or firewall, ingress filtering examines all inbound packets and then permits or denies entry to the network based on information in the packet header. It is a form of packet filtering.
Ingress traffic filtering is one of the first lines of defense in a network security strategy. It is intended to prevent cyberattacks, particularly denial of service (DoS) attacks that use IP address spoofing.
Preventing IP spoofing and denial-of-service attacks
At its simplest, ingress filtering involves establishing an access control list that contains the Internet Protocol addresses (IP addresses) of permitted source addresses. Conversely, the access control list may also be used to block prohibited source addresses.
Ingress filtering takes advantage of the Layer 2 IP address filtering capability of a router at the network’s edge and blocks traffic that has a high probability of being malicious. It makes this determination based on whether the contents of an IP packet header meet defined criteria. The packet filter examines several attributes, most notably in this case the source IP address. If the source address is invalid — that is, if it doesn’t match its originating network — the filter determines the address is forged (or “spoofed”) and drops the packet.
Ingress filtering is also a feature on switches; in that context, it is used to filter traffic on virtual LANs (VLANs) to prevent malicious activity within a private network, such as VLAN hopping. In VLANs, ingress filtering will discard frames whose port is not a member of the VLAN it is trying to access.
How ingress filtering works
Source IP addresses that are commonly blocked with ingress filter include:
- IP addresses that are already in use as an IP address within the internal network. This helps prevent an attacker from spoofing an internal IP address to take advantage of a poorly written firewall rule.
- IP addresses that are private. This helps prevent malicious traffic coming in from an improperly configured internet-based host or an attacker’s spoofed address.
- IP addresses that are loopbacks. This helps prevent traffic from an attacker who is spoofing a loopback address to take advantage of a poorly written firewall rule base.
- IP addresses that are multicast addresses. This helps prevent undesired multicast traffic that is likely to be spam.
- IP addresses that are service or management network addresses. This helps prevent an attacker from using the public internet to gain unauthorized access to network services running at the network application layer and above.
Additionally, network administrators may want to whitelist traffic from specific regions of the world that their organization does business with or blacklist dangerous regions of the world that their company prefers to not access its environment. There are several free and subscription-based services that can be used to create access control lists for network border routers.
Ingress filtering vs. egress filtering
Ingress filtering is one type of packet filtering. Its counterpart is egress filtering, which is used to examine outbound traffic and only allows packets to leave the network if they meet predetermined policies set by an administrator. Egress filtering is used to prevent malicious activity, such as infected machines attempting to leak data to remote hosts, or to block legitimate users from accessing prohibited services, such as online gaming sites.