Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
P. Ferguson, D. Senie · 2000-05
Abstract
BCP 38 recommends that ISPs filter packets arriving from customers whose source addresses do not fall within the address space allocated to that customer. This ingress filtering prevents attackers from injecting spoofed source addresses into the global Internet, reducing the effectiveness of reflection and amplification DDoS attacks. RFC 2827 updates RFC 2267.
Why This RFC Matters
BCP 38 / RFC 2827 is one of the most important operational security standards in Internet routing. IP source-address spoofing underpins many DDoS amplification attacks (DNS, NTP, SSDP reflection). Widespread deployment of ingress filtering at network edges would eliminate the ability to forge arbitrary source addresses, dramatically reducing the attack surface. Despite its importance, BCP 38 adoption remains incomplete globally, making spoofing-based DDoS a persistent threat.