394
Configuring URPF
The term "router" in this feature refers to both routers and Layer 3 switches.
Overview
Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as
denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers launch source spoofing attacks by creating packets with forged source addresses. For
applications using IP-address-based authentication, this type of attack allows unauthorized users to
access the system in the name of authorized users, or to even access the system as the administrator. Even
if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 126
Attack based on source address spoofing
As shown in
, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently,
both Router B and Router C are attacked. URPF can prevent such attacks.
URPF check modes
URPF supports two check modes:
•
Strict URPF
—To pass strict URPF check, the source address and receiving interface of a packet must
match the destination address and output interface of a forwarding information base (FIB) entry. In
some scenarios such as asymmetrical routing, strict URPF may discard valid packets. Strict URPF is
often deployed between an ISP and the connected users.
•
Loose URPF
—To pass loose URPF check, the source address of a packet must match the destination
address of a FIB entry. Loose URPF can avoid discarding valid packets, but may let go attack
packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
How URPF works
URPF does not check multicast packets.
URPF works in the steps, as shown in