Manualshelf

R21xx-HP FlexFabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
141142143144145146147148149150
139
Configuring uRPF
Unicast Reverse Path Forwarding (uRPF) protects a network against source spoofing attacks, such as DoS
and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers do not receive response
packets, they are still disruptive.
Figure 50 Source address spoofing attack
As shown in Figure 50, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently,
both Router B and Router C are attacked. uRPF can prevent such attacks.
The term "router" in this document refers to both routers and Layer 3 switches.
uRPF check modes
uRPF supports two check modes:
Strict uRPF—To pass strict uRPF check, the source address of a packet and the receiving interface
must match the destination address and output interface of a FIB entry. In some cases such as
asymmetrical routing, strict uRPF might discard valid packets. Strict uRPF is often deployed between
a PE device and a CE device.
Loose uRPF—To pass loose uRPF check, the source address of a packet must match the destination
address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let attack packets
pass. Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
uRPF work flow
uRPF does not check multicast packets.