Ingress filtering
With an ingress filter are, in general terms, networks protected from unwanted input traffic. In the current parlance, with ingress filter specifically the blocking of Internet packets meant by fake or faulty sender addresses.
Operation
A prevents a router or a firewall implemented ingress filter that IP packets can reach the center from the outer edge of a network with a forged sender address. So the goal is to intercept packets before they enter the actual network. Requirement is that routers or firewalls know all the external networks that connect them to the center. This precondition is satisfied with correctly installed routing table. An Ingress filter only IP packets through a known sender address. All others will be discarded.
Example: A service provider includes the network 171.17.128.0/18 to the Internet. He knows so that all incoming from this external network IP packets must have a return address from this address range. Does now from this network with a packet such as the source address 192.168.130.7 one, then there is either a configuration error or an attack. In both cases, it is useful to discard it before it enters into the Internet.
Facility
Ingress - Filters can be created statically by manual all external networks of a service provider to be included in an access list, or they can be generated automatically from the routing table ( Reverse Path Filtering ). Improperly configured filters can cause legitimate IP packets will be blocked.
The firewall with OpenBSD pf, allowing for easy creation of such a filter. Using this configuration line are discarded packets with a forged sender address on the network interface em0:
Antispoof for em0 limitations
Ingress filters provide only limited protection. Counterattacks with an original IP address they are completely ineffective, as in fake IP addresses from the same subnet as the attacker. Go about an attack from the IP address 171.17.130.5, so packets would be with the spoofed IP address 171.17.130.99 unopposed pass the ingress filter. Because of such limitations and in some cases costly operation Ingress filters are rarely used in practice. However, there are variants of an attack, in which ingress filters provide effective protection. An example is the DNA Amplification attack.
The opposite way, ie from the network center to the outside, can be an ingress filter generally not be hedged, because it can not distinguish between valid and invalid sender addresses. However, it is possible to avoid filters by the special case that the network center packets arrive with their own, external sender address.