How Does Ingress Filtering Help with Cyberattack Detection?

What is Ingress Filtering?

Enterprises and Internet Service Providers (ISPs) utilize ingress filtering to prevent suspicious traffic from entering a network. Ingress filtering inspects all inbound packets and then accepts or denies admission to the network depending on the information in the packet header when implemented on an edge device such as a router or firewall. Packet filtering is what it is.

One of the primary blockades in a network security plan is ingress traffic filtering. Its goal is to thwart cyberattacks, particularly denial of service (DoS) operations involving IP address spoofing.

Ingress traffic filtering can be defined as a type of computer security that involves checking incoming packets for validity. If a packet's alleged source does not appear to match, the network can hold it and refuse to let the data through. This can protect users from malicious spoofing attacks, in which a hacker tries to make a packet appear to come from somewhere else. Ingress filtering is commonly used by Internet service providers (ISPs) to protect their clients, and an individual home or office network may have extra security measures in place.

The system checks all arriving packets to determine their origins with this mechanism in place. To determine if a packet is from the location it claims to be; the system compares this information to a database. It can be permitted in if it appears to be a match. If the source has a problem, the system can hold the packet, preventing it from entering the network and protecting any users who may be connected to it.

Ingress filtering could be used to prevent Denial of Service (DoS) attacks. These attacks function by flooding networks with packets, many of which have been faked to hide their true sources. Because the network will not have to process the malicious packets, a system that can catch faked packets can keep the network operational while under assault. It is also possible to correlate hacking attacks by comparing spoofing information against established databases in order to track affected systems and malicious users.

Ingress screening is provided by ISP working together. They must routinely update their own databases for the benefit of their partners, and they must rely on other ISPs' updated databases to acquire accurate and complete information. Service providers can improve customers' safety and security by cooperating, even when competing for customers and attention.

How Does Ingress Filtering Work?

Ingress filters frequently blacklist the following IP addresses −

• IP addresses already in use on the internal network – This helps prevent an attacker from using a poorly crafted firewall rule to fake an internal IP address.
• Private IP addresses – This helps prevent harmful communications from an attacker's faked address or an incorrectly configured internet-based host.
• Loopback IP addresses – This helps prevent traffic from an attacker impersonating a loopback IP to take advantage of a firewall rule base that has been improperly constructed.
• Multicast addresses – This helps to prevent unwanted multicast communication, which is often spam.
• Service or management network addresses – This prevents an attacker from gaining unauthorized access to network services running at the network application layer and above through the public Internet.

Additionally, network managers may want to whitelist traffic from specified regions of the globe with whom their company does business or blacklist traffic from dangerous sections of the world with which their firm does not want to interact. Access control lists for network border routers can be created using a variety of free and subscription-based services.

Defense against DoS Attacks

Since the beginning of the Internet, denial of service (DoS) assaults have been prevalent. What makes this type of attack so disruptive, and what can we do to prevent it? While not impenetrable, ingress filtering can give a long-term solution if we all work together to implement it across the board.

To provide enhanced resilience against DDoS, companies employ a variety of strategies, such as barring specific ports, protocols, and IP address prefixes for specified network parts, trying to disseminate as much of their services as possible, having more bandwidth than they utilize.

How Does Ingress Filtering Work?

Only traffic from trusted sources is allowed to pass across a network using ingress filtering. As a result, traffic from a client with the prefix "x" will be accepted, but not traffic from any other unidentifiable prefixes. Following a revival of DoS assaults in 1998, the IETF established this approach as a standard. In the year 2000, it was included in Internet Best Current Practices "BCP 38."

Ingress filtering minimizes the likelihood of an attacker utilizing an operator's network to start an attack. It is unnecessary if the attacker chooses to use their own genuine prefix. Is it, however, that simple? In reality, it isn't.

The approved prefix for each client must be manually entered into access lists, which must then be applied to each related interface. This procedure is time-consuming, unscalable, and difficult to maintain, which runs counter to sound operations management principles.

For dynamic filtering, reverse-path forwarding (RPF) is an alternative. This streamlines the process, but it can block valid traffic if done incorrectly. Adopting policies such as asymmetric routing, in which a provider delivers traffic over one link but receives it over another, causes problems, leaving operators unsure how to implement reverse-path forwarding without jeopardizing their customers' traffic.

Since 2004, the IETF has released various updates on how to use RPF to implement filtering and support as many routing scenarios as possible. In essence, data from routers regarding routes and forwarding interfaces can be used to inform filtering decisions and accommodate various scenarios.

Vendors have provided a variety of implementations, but there is still much work to be done. RFC 8704, released in February 2020, is the most recent update. In order to create a better balance between flexibility and efficiency, it provided enhanced feasible-path unicast reverse path forwarding. BCP 38 and BCP 84 are the two best practices for ingress filtering implementation known today.

What's the Future for Ingress Filtering?

It all boils down to how each network fulfills its responsibilities and contributes to the greater good. To combat cyber security threats and improve network resilience, we should all use ingress filtering. Protecting the reputation of your IP prefixes and looking after your customers' interests are also good practices.

Standards like BCP 38 and BCP 84 implementation are at the center of the MANRS initiative, where all participants promise their commitment to routing security for these reasons and more. If there's one thing we've learned from these trying times, it's that we need to work together to achieve.