Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
471472473474475476477478479480
458
Configuring URPF
Overview
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks,
such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers cannot receive any
response packets, the attacks are still disruptive to the attacked target.
Figure 144 Source address spoofing attack
As shown in Figure 144, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently,
both Router B and Router C are attacked. URPF can prevent such attacks.
The term router in this document refers to both routers and Layer 3 switches.
Configuring URPF
URPF supports two check modes:
Strict URPF—To pass strict URPF check, the source address of a packet and the receiving interface
must match the destination address and output interface of a forwarding information base (FIB)
entry. In some scenarios such as asymmetrical routing, strict URPF might discard valid packets. Strict
URPF is often deployed between a provider edge (PE) device and a customer edge (CE) device.
Loose URPF—To pass loose URPF check, the source address of a packet must match the destination
address of a FIB entry. Loose URPF can avoid discarding valid packets, but might let go attack
packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
URPF features
Default route—When a default route exists, all packets that fail to match a specific FIB entry can
match the default route during URPF check and are permitted to pass. To avoid this situation, you
can disable URPF from using any default route to discard such packets. By default, URPF discards
packets that can only match a default route.
ACL—To identify specific packets as valid packets, you can use an ACL to match these packets.
Even if the packets do not pass uRPF check, they are still forwarded correctly.
URPF work flow
URPF does not check multicast packets.