Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
431432433434435436437438439440
421
Configuring uRPF
In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024,
MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080.
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such
as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot
receive any response packets, the attacks are still disruptive to the attacked target.
Figure 128 Source address spoofing attack
As shown in Figure 128, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1 at a high rate, and Router B sends response packets to IP address 2.2.2.1 (Router C).
Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by
mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers
simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a
packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF
considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF supports strict and loose modes.
Strict uRPF check—To pass strict uRPF check, the source address of a packet and the receiving
interface must match the destination address and output interface of a FIB entry. In some scenarios
(for example, asymmetrical routing), strict uRPF might discard valid packets. Strict uRPF is often
deployed between a PE and a CE.
Loose uRPF check—To pass loose uRPF check, the source address of a packet must match the
destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go
attack packets. Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
Features
Default route—When a default route exists, all packets that fail to match a specific FIB entry match the
default route during uRPF check and thus are permitted to pass. To avoid this situation, you can disable
uRPF from using any default route to discard such packets. If you allow using the default route (by using