353
Configuring uRPF
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such
as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot
receive any response packets, the attacks are still disruptive to the attacked target.
Figure 120 Source address spoofing attack
As shown in Figure 120, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1 at a high rate, and Router B sends response packets to IP address 2.2.2.1 (Router C).
Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by
mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers
simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a
packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF
considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF supports strict and loose modes.
• Strict uRPF check—To pass strict uRPF check, the source address of a packet and the receiving
interface must match the destination address and output interface of a FIB entry. In some scenarios
(for example, asymmetrical routing), strict uRPF might discard valid packets. Strict uRPF is often
deployed between a PE and a CE.
• Loose uRPF check—To pass loose uRPF check, the source address of a packet must match the
destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go
attack packets. Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
uRPF operation
Figure 121 shows how uRPF works.
To Next Page
Loading...
