R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101
18
URPF Configuration
NOTE:
• The term router and router icons in this document refers to a routing device running routing protocols in
a generic sense.
• The firewall supports configuring URPF only in the web interface.
URPF overview
What is URPF
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks.
Attackers launch such attacks by sending a large number of packets with forged source addresses. For
applications using IP-address-based authentication, this type of attacks allows unauthorized users to
access the system in the name of authorized users, or even access the system as the administrator. Even
if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 15 Attack based on source address spoofing
As shown in Figure 15, Router A sends a request with a forged source IP address of 2.2.2.1/8 to the
server (Router B), and Router B sends a packet to Router C at 2.2.2.1/8 in response to the request.
Consequently, this packet affects the communication between Router B and Router C.
URPF can prevent source address spoofing attacks.
How URPF works
URPF provides two check modes: strict and loose.
URPF works as follows:
1. If the source address of an incoming packet is found in the FIB table:
• In strict approach, URPF does a reverse route lookup for routes to the source address of the packet.
If at least one outgoing interface of such a route matches the receiving interface, the packet passes
the check and is forwarded normally. Otherwise, the packet is rejected.
• In loose approach, the packet passes the check and is forwarded normally.
2. If the source address is not found in the FIB table, URPF makes a decision based on the default
route and the allow-default-route option.