.

Quick question regarding Ingress Filtering.

<<

ttyl1333

Newbie
Newbie

Posts: 2

Joined: Sat Mar 09, 2013 11:27 am

Post Sat Mar 09, 2013 11:38 am

Quick question regarding Ingress Filtering.

In the CEH Study Guide Book, the following is mentioned as part of Ingress Filtering - "  Although this doesn’t stop an attack from occurring, it
does make it much easier to track down the source of the attack and terminate the attack quickly. "

Why doesn't Ingress Filtering stop an attack ?

I thought it stops packets which contains unapproved IP addresses in its header to enter the network ?

Thanks for any help.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sat Mar 09, 2013 3:46 pm

Re: Quick question regarding Ingress Filtering.

It will stop attacks on ports/services that are not allowed. However, it cannot stop attacks for ports/services that are allowed. For example, you would hopefully deny inbound tcp/445 but might allow tcp/80 in for web services. We can still attack the web server and the web application....which is allowed by the ingress filtering.
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Sat Mar 09, 2013 4:11 pm

Re: Quick question regarding Ingress Filtering.

cd1zz wrote:It will stop attacks on ports/services that are not allowed. However, it cannot stop attacks for ports/services that are allowed. For example, you would hopefully deny inbound tcp/445 but might allow tcp/80 in for web services. We can still attack the web server and the web application....which is allowed by the ingress filtering.


AFAIK, that would be considered port filtering, ingress filtering is IP address based.

ttyl1333 wrote:I thought it stops packets which contains unapproved IP addresses in its header to enter the network ?


I think they are looking at this from the perspective that an attacker can spoof the IP address in the header. However, it's still possible to detect that behaviour.
Last edited by m0wgli on Sat Mar 09, 2013 4:37 pm, edited 1 time in total.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

ttyl1333

Newbie
Newbie

Posts: 2

Joined: Sat Mar 09, 2013 11:27 am

Post Sun Mar 10, 2013 12:09 am

Re: Quick question regarding Ingress Filtering.

m0wgli wrote:
I think they are looking at this from the perspective that an attacker can spoof the IP address in the header. However, it's still possible to detect that behaviour.


Ahh okay thanks  ;D
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Sun Mar 10, 2013 7:02 am

Re: Quick question regarding Ingress Filtering.

Ingress filter ... yes mainly from Spoofing and sort of route leaking etc if seen from a ISP's network view.


you could lookat RFC 2827 which states everything in detail.
Image
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sun Mar 10, 2013 4:09 pm

Re: Quick question regarding Ingress Filtering.

I had no idea there was a difference! Thanks for the clarification. I always assumed it was the same concept as egress filtering, which is apparently different!
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Sun Mar 10, 2013 6:22 pm

Re: Quick question regarding Ingress Filtering.

For Enterprise or small business sized network, I consider egress as more important to ingress as it serves as filter to drop traffic leaving your network.
Image
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Mar 10, 2013 6:36 pm

Re: Quick question regarding Ingress Filtering.

cd1zz wrote:I had no idea there was a difference! Thanks for the clarification. I always assumed it was the same concept as egress filtering, which is apparently different!


This isn't directed at anyone who responded in this thread, but aside from garbage CEH trivia questions, I don't think there is a difference.

This seems to have caught on from the RFCs (2827 is actually superseded by 3704). However, these are specifically written for mitigating DoS attacks for service providers/large networks. They aren't literally defining the term.

There is no legitimate reason for ingress filtering to not mean the exact opposite of egress filtering.
The day you stop learning is the day you start becoming obsolete.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sun Mar 10, 2013 9:00 pm

Re: Quick question regarding Ingress Filtering.

Good to know I'm not totally crazy.
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Sun Mar 10, 2013 11:56 pm

Re: Quick question regarding Ingress Filtering.

Not making a argument or anything, just sharing my experience.

-3704 yes is an update to 2827, so it supersedes as such, but still  2827 is used to refer to uRPF as a base. Even CCIE v4 exams still use 2827 lol ... to test on.

- I do agree about ingress and egress as they are basically to block invalid traffic to enter or leave the network respectively, Whatever it maybe Spooing, Smurf etc.

Having ingress we allow certain things to enter our network.

However egress can be used to identify any anomaly. Egress usually let almost all IP traffic out of network (expect sourced from 1918, Bogon,  multicast,  and even some ftp, tftp, protocols).

I like to use egress to find out a sudden spike in outbound bandwidth and random ports sending large traffic; which is useful is end machines have been part of a bonet or a virus. Egress helps to quickly stop these attacks going out of the network. Once things are more clear on analysis, acls close the source of malicious activity can be applied.
Image

Return to CEH - Certified Ethical Hacker

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software