Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6804 Router Chassis
451452453454455456457458459460
54
Configuring URPF
Overview
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks,
such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers cannot receive any
response packets, the attacks are still disruptive to the attacked target.
Figure 146 Source address spoofing attack
As shown in Figure 146, Router A sends the server (Router B) requests with a forged source IP address
2.2.2.1 at a high rate, and Router B sends packets to IP address 2.2.2.1 (Router C) in response to the
requests. Consequently, both Router B and Router C are attacked.
URPF can prevent these source address spoofing attacks by checking the source addresses of packets
and filtering out invalid packets.
URPF check modes
URPF provides two check modes: strict and loose.
Strict URPF—For a packet to pass strict URPF check, the source address of the packet and the
receiving interface must match the destination address and output interface of a forwarding
information base (FIB) entry. In some scenarios such as asymmetrical routing, strict URPF will discard
valid packets. Strict URPF is often deployed between a provider edge (PE) device and a customer
edge (CE) device.
Loose URPF—For a packet to pass loose URPF check, the source address of the packet must match
the destination address of a FIB entry. Loose URPF can avoid discarding valid packets, but might let
go attack packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
URPF features
Default route—When a default route exists, all packets that fail to match a specific FIB entry can
match the default route during URPF check and are permitted to pass. To avoid this situation, you
can disable URPF from using any default route to discard such packets. By default, URPF discards
packets that can only match a default route.
ACL—To identify specific packets as valid packets, you can use an ACL to match these packets.
Even if the packets do not pass URPF check, they are still forwarded.