Configuring Urpf; Overview; Urpf Check Modes; How Urpf Works - HP 5500 HI Series Configuration Manual

Configuring URPF

The term "router" in this feature refers to both routers and Layer 3 switches.

Overview

Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as
denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers launch source spoofing attacks by creating packets with forged source addresses. For
applications using IP-address-based authentication, this type of attack allows unauthorized users to
access the system in the name of authorized users, or to even access the system as the administrator. Even
if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 126 Attack based on source address spoofing
As shown in
IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently,
both Router B and Router C are attacked. URPF can prevent such attacks.

URPF check modes

URPF supports two check modes:
Strict URPF—To pass strict URPF check, the source address and receiving interface of a packet must
•
match the destination address and output interface of a forwarding information base (FIB) entry. In
some scenarios such as asymmetrical routing, strict URPF may discard valid packets. Strict URPF is
often deployed between an ISP and the connected users.
Loose URPF—To pass loose URPF check, the source address of a packet must match the destination
•
address of a FIB entry. Loose URPF can avoid discarding valid packets, but may let go attack
packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.

How URPF works

URPF does not check multicast packets.
URPF works in the steps, as shown in
Figure 126, an attacker on Router A sends the server (Router B) requests with a forged source
Figure 127.
394