Ingress ﬁltering. A common denial-of-service attack involves an attacker sending a large number of IPpackets to a victim with an IP source address that isoutside the attacker's subnet. Ingress ﬁltering is a technique that ﬁlters and drops such packets at the routerthat connects the attacker to the Internet . Becauseit is expected that packets received from the VPNclient at the IPSS will have source addresses that areIP addresses from the enterprise subnet, any packetsthat have source IP addresses outside this subnet canbe dropped. This ingress ﬁltering is possible becausethe encapsulated (inner) IP header is visible at theIPSS.