Problem solve Get help with specific problems with your technologies, process and projects.

Use egress filtering to prevent DoS attacks

Take a few minutes to add egress filtering to your customer's perimeter-protection devices so you can make the network less attractive to would-be attackers and prevent denial of service (DoS) attacks.

Take a few minutes to add egress filtering to your customer's perimeter-protection devices so you can make the...

network less attractive to would-be attackers and prevent denial of service (DoS) attacks. VARs and security consultants can get the basics in this tip, which originally appeared on

If you've been around routers and firewalls for any amount of time, you're probably familiar with the concept of ingress filtering -- the application of a firewall rulebase to inbound traffic. Ingress filtering allows you to control the traffic that enters your network and restrict activity to legitimate purposes.

You might not be familiar with a similar security technique known as egress filtering, which controls the traffic headed out of your network. The addition of a few simple rules to your border router and/or firewall allows you to provide a good deal of protection against many categories of malicious activity. Two of the rules you may wish to consider implementing are:

  • No outbound traffic bears a source IP address not assigned to your network. (This is the basic egress filtering rule.)

  • No outbound traffic bears a private (non-routable) IP address. (This should be true anyway, but it's a good idea to block and log this type of traffic to determine the source of the error.)

As with any security control, exceptions to the standard egress filtering policy may be necessary depending upon your organization's unique needs. These rules should be used as the basic building blocks of policy and exceptions should be made as necessary for legitimate business purposes.

Why should you care about egress filtering? After all, isn't the point of a secure perimeter to prevent malicious traffic from entering the network? Quite simply, egress filtering is the socially responsible thing to do. Taking these measures can restrict the usefulness of your network to those who seek to launch denial-of-service (DoS) attacks against other Internet sites. If your site is used for such an attack, you'll probably find yourself being pestered by other security administrators, at a minimum. In the worst case, you may find yourself the subject of a law enforcement investigation despite the fact that you did nothing wrong!

The egress filtering rules also have analogs in the ingress filtering arena:

  • No inbound traffic bears a source IP address assigned to your network.
  • No inbound traffic bears a private (non-routable) IP address.

These rules seem like common sense, but they're often forgotten by firewall administrators caught up in the design of complex rulesets restricting activity by port. It will only take a few minutes to add these measures to your perimeter-protection devices and they could mean the prevention of a major headache in the event a malicious individual attempts to use your site as a launching point for a DoS attack.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the
TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the SANS GSEC Prep Guide from John Wiley. He's also the Guide to Databases.

This tip originally appeared on

This was last published in March 2007

Dig Deeper on Network security products, technologies, services



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.