Source Address
Click on the red underlined text to get to the source
... dropping traffic entering their networks that is coming from a source
address not legitimately in use by the customer network. The
filtering ...
... filtering includes but is in no way limited to the traffic whose
source address is a so-called "Martian Address" - an address ...
... Distributed Denial of Service Attacks frequently spoof other systems'
source addresses, placing a random number in the field. In some
attacks ...
... filtering, by verifying that their prefixes are not used in the
source addresses in packets received from the Internet. In other
attacks ...
... Internet. In other
attacks, the source address is literally a random 32 bit number,
resulting in the source of the attack ...
... attacks can be
somewhat mitigated: traffic with random or improper source addresses
can be suppressed before it does significant damage, and attacks can
...
...
An Ingress Access List is a filter that checks the source address of
every message received on a network interface against a list of
...
... filters and interface access-lists). The procedure is that the
source address is looked up in the Forwarding Information Base (FIB)
...
... RPF) is an extension
of Strict RPF. The source address is still looked up in the FIB (or
an equivalent, RPF ...
... interface; if it points nowhere or to some other interface, the
packets with bogus source addresses will be discarded at the Loose
RPF interface ...
... filtering need only verify the fact and react if
any packets which would show a breach in the contract are detected.
Of course, this mechanism would only show if the source addresses
used are "martian" or other unrouted addresses ...
... explicit route presence check".
In this approach, the router looks up the source address in the route
table, and preserves the packet if a route is found. However, in the
...
... default routes are used only to
catch traffic with bogus source addresses, with an extensive (or even
full) list of explicit routes to cover legitimate traffic.
...
... customers, peers
and upstreams) -- blocking the use of your own addresses as source
addresses -- the attackers may be able to circumvent the protections
of the infrastructure gear.
...
... symmetric. It might even be considered useful to be able to filter
out source addresses coming from an upstream link which should have
...
... 5]. This way the edge routers are configured to first
inspect the source address of a packet destined to an ISP and shunt
it into the appropriate tunnel ...
... attacker "somewhere in the Internet" is being ingress
filtered or not. Therefore, one can only guess whether the source
addresses have been spoofed or not: in any case, getting a possible
lead -- e.g., to contact a potential source to ask whether they're
observing an attack ...
... interfaces to reduce
the size of DoS attacks with unrouted source addresses. In the
downstream interfaces ...
... networks should verify that their own
addresses are not being used in source addresses in the packets
coming from outside their network.
...
... Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827 ...