Configuring Urpf; Overview; Urpf Check Modes; Features - HP MSR Series Configuration Manual
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
Configuring uRPF
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing
attacks, such as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based
authentication, in the name of authorized users or even the administrator. Even if the attackers or
other hosts cannot receive any response packets, the attacks are still disruptive to the attacked
target.
Figure 170 Source address spoofing attack
As shown in
source IP address 2.2.2.1 at a high rate. Router B sends response packets to IP address 2.2.2.1
(Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects
Router C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers
simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that
receives a packet is the output interface of the FIB entry that matches the source address of the
packet. If not, uRPF considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF supports strict and loose modes.
•
Strict uRPF check—To pass strict uRPF check, the source address of a packet and the
receiving interface must match the destination address and output interface of a FIB entry. In
some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets.
Strict uRPF is often deployed between a PE and a CE.
•
Loose uRPF check—To pass loose uRPF check, the source address of a packet must match
the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but
might let go attack packets. Loose uRPF is often deployed between ISPs, especially in
asymmetrical routing.
Features
Default route—When a default route exists, all packets that fail to match a specific FIB entry match
the default route during uRPF check and thus are permitted to pass. To avoid this situation, you can
disable uRPF from using any default route to discard such packets. If you allow using the default
route (set by using allow-default-route), uRPF permits packets that only match the default route. By
default, uRPF discards packets that can only match a default route. Typically, you do not need to
configure the allow-default-route keyword on a PE device because it has no default route pointing
to the CE. If you enable uRPF on a CE that has a default route pointing to the PE, select the
allow-default-route keyword.
Figure
170, an attacker on Router A sends the server (Router B) requests with a forged
542
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
