Ingress filtering

Last updated

In computer networking, ingress filtering is a technique used to ensure that incoming packets are actually from the networks from which they claim to originate. This can be used as a countermeasure against various spoofing attacks where the attacker's packets contain fake IP addresses. Spoofing is often used in denial-of-service attacks, and mitigating these is a primary application of ingress filtering. [1]

Contents

Problem

Networks receive packets from other networks. Normally a packet will contain the IP address of the computer that originally sent it. This allows devices in the receiving network to know where it came from, allowing a reply to be routed back (amongst other things), except when IP addresses are used through a proxy or a spoofed IP address, which does not pinpoint a specific user within that pool of users.

A sender IP address can be faked (spoofed), characterizing a spoofing attack. This disguises the origin of packets sent, for example in a denial-of-service attack. The same holds true for proxies, although in a different manner than IP spoofing.

Potential solutions

One potential solution involves implementing the use of intermediate Internet gateways (i.e., those servers connecting disparate networks along the path followed by any given packet) filtering or denying any packet deemed to be illegitimate. The gateway processing the packet might simply ignore the packet completely, or where possible, it might send a packet back to the sender relaying a message that the illegitimate packet has been denied. Host intrusion prevention systems (HIPS) are one example of technical engineering applications that help to identify, prevent and/or deter unwanted, unsuspected or suspicious events and intrusions.

Any router that implements ingress filtering checks the source IP field of IP packets it receives and drops packets if the packets don't have an IP address in the IP address block to which the interface is connected. This may not be possible if the end host is multi-homed and also sends transit network traffic.

In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from the originating IP address(es). If the end host is a stub network or host, the router needs to filter all IP packets that have, as the source IP, private addresses (RFC 1918), bogon addresses or addresses that do not have the same network address as the interface. [2]

Networks

Network ingress filtering is a packet filtering technique used by many Internet service providers to try to prevent IP address spoofing of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source.

Network ingress filtering makes it much easier to track denial-of-service attacks to their source(s) so they can be fixed. [3]

Network ingress filtering is a good neighbor policy that relies on cooperation between ISPs for their mutual benefit.

The best current practices for network ingress filtering are documented by the Internet Engineering Task Force in BCP 38 and 84, which are defined by RFC 2827 and RFC 3704, respectively. [4] [5]

BCP 84 recommends that upstream providers of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address that is not allocated to that customer.

There are many possible ways of implementing this policy; one common mechanism is to enable reverse-path forwarding on links to customers, which will indirectly apply this policy based on the provider's route filtering of their customers' route announcements.

Deployment

As of 2012, one report suggests that, contrary to general opinion about the lack of BCP 38 deployment, some 80% of the Internet (by various measures) were already applying anti-spoofing packet filtering in their networks. [6]

At least one computer security expert is in favor of passing a law requiring 100% of all ISPs to implement network ingress filtering as defined in IETF BCP 38. In the US, presumably the FCC would enforce this law. [3]

See also

Related Research Articles

An Internet Protocol address is a numerical label such as 192.0.2.1 that is connected to a computer network that uses the Internet Protocol for communication. An IP address serves two main functions: network interface identification and location addressing.

<span class="mw-page-title-main">Internet Protocol version 4</span> Fourth version of the Internet Protocol

Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

<span class="mw-page-title-main">IPv6</span> Version 6 of the Internet Protocol

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and was intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.

A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or groups of engineers and computer scientists in the form of a memorandum describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems. It is submitted either for peer review or to convey new concepts, information, or, occasionally, engineering humor.

<span class="mw-page-title-main">IP address spoofing</span> Creating IP packets using a false IP address

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

<span class="mw-page-title-main">Routing table</span> Data table stored in a router that lists the routes to network destinations

In computer networking, a routing table, or routing information base (RIB), is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes. The routing table contains information about the topology of the network immediately around it.

A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

Bogon filtering is the practice of filtering bogons, which are bogus (fake) IP addresses of a computer network. Bogons include IP packets on the public Internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public Internet use. The areas of unallocated address space are called the bogon space.

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet. Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use.

<span class="mw-page-title-main">Anycast</span> Network addressing and routing methodology

Anycast is a network addressing and routing methodology in which a single destination IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and DNS hosts, to bring their content closer to end users.

A Martian packet is an IP packet seen on the public Internet that contains a source or destination address that is reserved for special-use by Internet Assigned Numbers Authority (IANA) as defined in RFC 1812, Appendix B Glossary. On the public Internet, such a packet either has a spoofed source address, and it cannot actually originate as claimed, or the packet cannot be delivered. The requirement to filter these packets is found in RFC 1812, Section 5.3.7.

In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 and the IPv6 specifications define private IP address ranges.

Reverse-path forwarding (RPF) is a technique used in modern routers for the purposes of ensuring loop-free forwarding of multicast packets in multicast routing and to help prevent IP address spoofing in unicast routing.

In networking, a black hole refers to a place in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient.

In computer networking, source routing, also called path addressing, allows a sender of a packet to partially or completely specify the route the packet takes through the network. In contrast, in conventional routing, routers in the network determine the path incrementally based on the packet's destination. Another routing alternative, label switching, is used in connection-oriented networks such as X.25, Frame Relay, Asynchronous Transfer Mode and Multiprotocol Label Switching.

A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface should forward a packet. It is a dynamic table that maps MAC addresses to ports. It is the essential mechanism that separates network switches from Ethernet hubs. Content-addressable memory (CAM) is typically used to efficiently implement the FIB, thus it is sometimes called a CAM table.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

DDoS mitigation is a set of network management techniques and/or tools, for resisting or mitigating the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet, by protecting the target, and relay networks. DDoS attacks are a constant threat to businesses and organizations, by delaying service performance, or by shutting down a website entirely.

Source-specific routing, also called source-address dependent routing (SADR), is a routing technique in which a routing decision is made by looking at the source address of a packet in addition to its destination address. The main application of source-specific routing is to allow a cheap form of multihoming without the need for provider-independent addresses or any cooperation from upstream ISPs.

In order to ensure proper working of carrier-grade NAT (CGN), and, by doing so, alleviating the demand for the last remaining IPv4 addresses, a /10 size IPv4 address block was assigned by Internet Assigned Numbers Authority (IANA) to be used as shared address space. This block of addresses is specifically meant to be used by Internet service providers that implement carrier-grade NAT, to connect their customer-premises equipment (CPE) to their core routers.

References

  1. Zhauniarovich, Yury; Dodia, Priyanka (June 2019). "Sorting the Garbage: Filtering Out DRDoS Amplification Traffic in ISP Networks". 2019 IEEE Conference on Network Softwarization (NetSoft). IEEE. pp. 142–150. doi:10.1109/netsoft.2019.8806653. ISBN   978-1-5386-9376-6. S2CID   201621791.
  2. Robert Gezelter (1995) Security on the Internet Chapter 23 in Hutt, Bosworth, and Hoytt (1995) "Computer Security Handbook, Third Edition", Wiley, section 23.6(b), pp 23-12, et seq.
  3. 1 2 Dr. David A. Wheeler. "What laws should be created to improve computer security?" . Retrieved 2023-06-10.
  4. Ferguson, P.; Senie, D. (May 2000). Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. IETF. doi: 10.17487/RFC2827 . BCP 38. RFC 2827.
  5. Baker, F.; Savola, P. (March 2004). Ingress Filtering for Multihomed Networks. IETF. doi: 10.17487/RFC3704 . BCP 84. RFC 3704.
  6. Barry Greene (June 11, 2012). "Everyone should be deploying BCP 38! Wait, they are …". senki.org.