Ingress filtering (also known as uRPF or source address verification) prevents packets with spoofed source addresses from entering the network. By validating that incoming packets have legitimate source addresses (based on routing tables or prefix lists), ingress filtering directly blocks many spoofed DDoS attacks, which often rely on forged source IP addresses.

This principle is foundational in network security design per CCDE v3.1:

Stops source-spoofed attacks before they enter.

Protects critical infrastructure from volumetric and reflection/amplification attacks.

Forms part of secure edge design best practices.

Why other options are incorrect:

A: DSCP remarking relates to traffic classification, not spoof prevention.

C: Bogon classification isn't the main function of ingress filtering.

D: RFC 1918 filtering is a special policy but not the core function of ingress filtering.

—