Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
121122123124125126127128129130
117
Configuring URPF
Overview
Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as
denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers cannot receive any
response packets, the attacks are still disruptive to the attacked target.
Figure 97 Source address spoofing attack
As shown in Figure 97, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently,
both Router B and Router C are attacked. URPF can prevent such attacks.
The term router in this document refers to both routers and firewalls.
URPF check modes
URPF supports two check modes:
Strict URPF—To pass strict URPF check, the source address of a packet and the receiving interface
must match the destination address and output interface of a forwarding information base (FIB)
entry. In some scenarios such as asymmetrical routing, strict URPF might discard valid packets. Strict
URPF is often deployed between a provider edge (PE) device and a customer edge (CE) device.
Loose URPF—To pass loose URPF check, the source address of a packet must match the destination
address of a FIB entry. Loose URPF can avoid discarding valid packets, but might let go attack
packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
URPF features
Default route—When a default route exists, all packets that fail to match a specific FIB entry can
match the default route during URPF check and are permitted to pass. To avoid this situation, you
can disable URPF from using any default route to discard such packets. By default, URPF discards
packets that can only match a default route.
Link layer check—Strict URPF check can further perform link layer check on a packet. It uses the next
hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source
MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes
strict URPF check. Link layer check is applicable to ISP devices where a Layer 3 Ethernet interface
connects a large number of users. Loose URPF does not support link layer check.