355
URPF configuration
NOTE:
The term
router
in this document refers to both routers and Layer 3 switches.
URPF overview
What is URPF
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks,
such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers launch attacks by creating a series of packets with forged source addresses. For applications
using IP-address-based authentication, this type of attack allows unauthorized users to access the system
in the name of authorized users, or to even access the system as the administrator. Even if the attackers
cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 135 Attack based on source address spoofing
As shown in Figure 135, Router A sends the server (Router B) requests with a forged source IP address
2.2.2.1 at a high rate, and Router B sends packets to IP address 2.2.2.1 (Router C) in response to the
requests. Consequently, both Router B and Router C are attacked.
URPF can prevent this source address spoofing attack by checking the source addresses of packets and
filtering out invalid packets.
URPF check modes
URPF provides two check modes: strict and loose.
Strict URPF
To pass strict URPF check, the source address and receiving interface of a packet must match the
destination address and output interface of a forwarding information base (FIB) entry.
In some scenarios such as asymmetrical routing, strict URPF may discard valid packets.
Strict URPF is often deployed between an internet service provider (ISP) and the connected users.
Loose URPF
To pass loose URPF check, the source address of a packet must match the destination address of a FIB
entry. Loose URPF can avoid discarding valid packets, but may let go attack packets.
To Next Page
Loading...
Need help?
General