Ingress Filtering

Giriş

Açıklaması şöyle

a technique used to ensure that incoming packets are actually from the networks from which they claim to originate.

Örnek

Elimizde şöyle bir ağ olsun

                                                       | 192.1.1.1
                                 +------------------- GW4
                                 | 192.168.1.1
             +----------------- GW2------+
             | 192.168.16.1              | 192.168.33.1
      +---- GW1 -----+             ---- GW3 ----
      |              |
192.168.16.15   192.168.16.243
     YOU           ALICE

Eğer kendi IP adresimizden farklı bir adresle IP paketi göndersek bile "Ingress Filtering" bu paketi düşürür. Açıklaması şöyle

You send out a packet with a source address of 10.0.0.36 and directed to, say, 172.16.16.172. GW1, serving your network which is 192.168.16.0/24, only expected to receive packets matching 192.168.16.0/24, and your packet doesn't match, so it is dropped. You could spoof a connection coming from your "neighbour" Alice, but no more.

Even if GW1 did not complain, it would forward the packet to the next hop, which serves the whole 192.168.0.0/16 branch and also would ignore your packet.

And so on and so forth (the IP I used are actually not all that routable, but it's an example).