Ingress filtering is a computer security technique that relies on scanning incoming packets to confirm their validity. If a packet does not appear to match its purported source, the network can hold it and may refuse to allow the information through. This can protect users from malicious attacks based on spoofing, where a hacker attempts to make a packet look like it originated from somewhere else. Internet service providers (ISPs) typically use ingress filtering to defend their customers and an individual home or office network can have additional safety measures in place.
With this procedure in place, the system examines all incoming packets to get information about their origins. The system compares this information to a database to determine if a packet is indeed from the place it says it is. If it appears to be a match, it can be allowed through. If there is a problem with the source, the system can hold the packet, keeping it out of the network and protecting any users who might be attached to the network.
One potential use for ingress filtering is to combat denial of service (DOS) attacks. These attacks rely on flooding networks with packets, many of which are spoofed to conceal their origins. A system that can trap spoofed packets can keep the network running while under attack, as the network will not have to process the malicious packets. It is also possible to compare the spoofing information against known databases to connect hacking attacks for the purpose of tracking infected computers and malicious users.
Internet service providers work with each other to provide ingress filtering. They need to regularly update their own databases for the benefit of partners, and rely on updated databases maintained by other ISPs to access accurate and detailed information. This cooperation is a practical business move on the part of service providers, who can provide customers with greater safety and security by cooperating, even with rivals who may vie for customers and attention.
Within an individual home or office network, ingress filtering may also be enabled. The network can catch packets an ISP may not have identified as a problem, depending on the type of filtering used. This adds an extra layer of security for individual users, along with other safety measures like scanning incoming information for viruses and other malicious software that may pose a risk to the safety of computer systems or data on the network.