EH-Net

In the CEH Study Guide Book, the following is mentioned as part of Ingress Filtering - "  Although this doesn’t stop an attack from occurring, it
does make it much easier to track down the source of the attack and terminate the attack quickly. "

Why doesn't Ingress Filtering stop an attack ?

I thought it stops packets which contains unapproved IP addresses in its header to enter the network ?

Thanks for any help.

It will stop attacks on ports/services that are not allowed. However, it cannot stop attacks for ports/services that are allowed. For example, you would hopefully deny inbound tcp/445 but might allow tcp/80 in for web services. We can still attack the web server and the web application....which is allowed by the ingress filtering.

AFAIK, that would be considered port filtering, ingress filtering is IP address based.


I think they are looking at this from the perspective that an attacker can spoof the IP address in the header. However, it's still possible to detect that behaviour.

Ahh okay thanks  ;D

Ingress filter ... yes mainly from Spoofing and sort of route leaking etc if seen from a ISP's network view.


you could lookat RFC 2827 which states everything in detail.

I had no idea there was a difference! Thanks for the clarification. I always assumed it was the same concept as egress filtering, which is apparently different!

For Enterprise or small business sized network, I consider egress as more important to ingress as it serves as filter to drop traffic leaving your network.

This isn't directed at anyone who responded in this thread, but aside from garbage CEH trivia questions, I don't think there is a difference.

This seems to have caught on from the RFCs (2827 is actually superseded by 3704 (http://www.ietf.org/rfc/rfc3704.txt)). However, these are specifically written for mitigating DoS attacks for service providers/large networks. They aren't literally defining the term.

There is no legitimate reason for ingress filtering to not mean the exact opposite of egress filtering.

Good to know I'm not totally crazy.

Not making a argument or anything, just sharing my experience.

-3704 yes is an update to 2827, so it supersedes as such, but still  2827 is used to refer to uRPF as a base. Even CCIE v4 exams still use 2827 lol ... to test on.

- I do agree about ingress and egress as they are basically to block invalid traffic to enter or leave the network respectively, Whatever it maybe Spooing, Smurf etc.

Having ingress we allow certain things to enter our network.

However egress can be used to identify any anomaly. Egress usually let almost all IP traffic out of network (expect sourced from 1918, Bogon,  multicast,  and even some ftp, tftp, protocols).

I like to use egress to find out a sudden spike in outbound bandwidth and random ports sending large traffic; which is useful is end machines have been part of a bonet or a virus. Egress helps to quickly stop these attacks going out of the network. Once things are more clear on analysis, acls close the source of malicious activity can be applied.