Configuring URPF
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks,
such as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers do not receive response
packets, they are still disruptive.
Figure 104 Source address spoofing attack
As shown in
IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently,
both Router B and Router C are attacked. URPF can prevent such attacks.
The term "router" in this document refers to both routers and Layer 3 switches.
URPF check modes
URPF supports two check modes:
•
Strict URPF—To pass strict URPF check, the source address of a packet and the receiving interface
must match the destination address and output interface of a FIB entry. In some cases such as
asymmetrical routing, strict URPF may discard valid packets. Strict URPF is often deployed between
a PE device and a CE device.
Loose URPF—To pass loose URPF check, the source address of a packet must match the destination
•
address of a FIB entry. Loose URPF can avoid discarding valid packets, but may let attack packets
pass. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
URPF work flow
URPF does not check multicast packets.
Figure
104, an attacker on Router A sends the server (Router B) requests with a forged source
268