Ingress [Ferguson and Senie 2000] and egress [Killalea 2000] filtering are the
most well-known filtering methods. Run on a router at the border of a network,
ingress/egress filtering checks the addresses of packets flowing into and out of
an edge network. For a packet originating from the edge network, if the source
address does not belong to the edge network, the packet is a spoofing packet.
Similarly, for a packet originating outside the edge network, if the source address
does belong to the edge network, the packet is a spoofing packet.
The
border router is easily able to filter out any packet it identifies as a spoofing
packet. If this simple filtering mechanism were implemented on all networks,
attackers would be limited to only spoofing addresses within their own local
network. Unfortunately, as the Spoofer Project shows us, such universal deployment
is not a reality. Furthermore, there is not much incentive for a network to
deploy ingress/egress filtering; when a network deploys ingress/egress filtering,
it has only a minimal effect on how many other networks are able to spoof its
source addresses. But incentive is not the only problem; without nearly 100%
deployment, ingress/egress filtering is ineffective [Park and Lee 2001]. Even
if only a small number of networks do not implement ingress/egress filtering,
hosts within those unprotected networks would still be able to spoof nearly any
source address.