Configuring Urpf; Urpf Check Modes; How Urpf Works - HP A5830 Series Configuration Manual

Configuring URPF

The term "router" in this document refers to both routers and Layer 3 switches.
URPF protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attackers launch attacks by creating a series of packets with forged source addresses. For applications
using IP-address-based authentication, this type of attack allows unauthorized users to access the system
in the name of authorized users, or even to access the system as the administrator. Even if the attackers
cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 80 Attack based on source address spoofing
As shown in
2.2.2.1 at a high rate, and Router B sends packets to IP address 2.2.2.1 (Router C) in response to the
requests. Consequently, both Router B and Router C are attacked.
URPF can prevent this source address spoofing attack by checking the source addresses of packets and
filtering out invalid packets.

URPF check modes

URPF provides two check modes: strict and loose.
Strict URPF
To pass strict URPF check, the source address and receiving interface of a packet must match the
destination address and output interface of a FIB entry.
In some scenarios such as asymmetrical routing, strict URPF may discard valid packets.
Strict URPF is often deployed between an ISP and the connected users.
Loose URPF
To pass loose URPF check, the source address of a packet must match the destination address of a FIB
entry. Loose URPF can avoid discarding valid packets, but may let attack packets pass.
Loose URPF is often deployed between ISPs, especially in asymmetrical routing.

How URPF works

URPF does not check multicast packets.
URPF works as shown in
Figure 80, Router A sends the server (Router B) requests with a forged source IP address
Figure 81.
244