CS406: Information Security

The Packet filtering is the best method to avoid various spoofing attacks. In this section we have described three packet filtering methods which are used to filter the spoofed packets, they are

A. Ingress Filtering Method 

• Ingress filtering is a technique used to make sure that incoming packetsare actually from the networks that they claim to be from.
• Networks receive packets from other networks. Normally a packet will contain the IP address of the computer that originally sent it. This allows other computers in the network to know where it came from, which is needed for things like sending a packet back to the sending computer.
• In certain cases, the sending IP address will be spoofed. This is usually done as part of an attack, so that the attacked computer does not know where the attack is really coming from.
• Filtering a packet is when the packet is not processed normally, but is denied in some way. The computer processing the packet might simply ignore the packet completely, or where it is possible it might send a packet back to the sender saying the packet is denied.
• In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from IP addresses of the originating computer.
• In order to do ingress filtering, the network needs to know which IP addresses each of the networks it is connected to may send. This is not always possible. For instance, a network that has a single connection to the Internet has no way to know if a packet coming from that connection is spoofed or not.
• Ingress filtering is a packet filtering technique used by many Internet service providers to try to prevent source address spoofing of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source.
• Ingress filtering is a "good neighbor" policy which relies on mutual cooperation between ISPs for their mutual benefit.
• There are many possible ways of implementing this policy; one common mechanism is to enable reverse path forwarding on links to customers, which will indirectly apply this policy based on the provider's route filtering of their customers' route announcements.

B. Egress Filtering Method 

• Egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled.
• TCP/IP packets that are being sent out of the internal network are examined via a router or firewall. Packets that do not meet security policies are not allowed to leave -they are denied "egress".
• Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.
• In a corporate network, typically all traffic except that emerging from a select set of servers would be denied egress. Restrictions can further be made such that only select protocols such as http, email, and DNS are allowed. User work stations would then need to be set to use one of the allowed servers as a proxy. Direct access to external networks by the internal user workstation would not be allowed.
• Egress filtering may require policy changes and administrative work whenever a new application requires external network access. For this reason egress filtering is an uncommon feature on consumer and very small business networks.

C. Spoofing Prevention Method (SPM)

A new approach for filtering spoofed IP packets, called Spoofing Prevention Method (SPM). The method enables routers closer to the destination of a packet to verify the authenticity of the source address of the packet. This stands in contrast to standard ingress filtering which is effective mostly at routers next to the source and is ineffective otherwise. In the proposed method a unique temporal key is associated with each ordered pair of source destination networks (AS’s, autonomous systems). Each packet leaving a source network S is tagged with the key K(S;D), associated with (S;D), where D is the destination network. Upon arrival at the destination network the key is verified and removed. Thus the method verifies the authenticity of packets carrying the address s which belongs to network S. An efficient implementation of the method, ensuring not to overload the routers, is presented. The major benefits of the method are the strong incentive it provides to network operators to implement it, and the fact that the method lends itself to step wise deployment, since it benefits networks deploying the method even if it is implemented only on parts of the Internet. These two properties, not shared by alternative approaches, make it an attractive and viable solution to the packet spoofing problem. 

D. Some other plans to avoid spoofing in web applications:

• Use cryptographic signatures to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.
• Configure your mail delivery daemon to prevent someone from directly connecting to your SMTP port to send spoofed email to other sites.
• Ensure that your mail delivery daemon allows logging and is configured to provide sufficient logging to assist you in tracking the origin of spoofed email.
• Consider a single point of entry for email to your site. You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofing attempts to your site.
• Educate your users about your site's policies and procedures in order to prevent them from being "social engineered," or tricked, into disclosing sensitive information (such as passwords). Have your users report any such activities to the appropriate system administrator(s) as soon as possible.