Generating local dsa or rsa key pairs, Configuring urpf, Overview – H3C Technologies H3C S12500-X Series Switches User Manual
Page 246: Urpf check modes, Urpf operation
234
12B
Configuring uRPF
142B
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such
as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot
receive any response packets, the attacks are still disruptive to the attacked target.
Figure 75 Source address spoofing attack
As shown in
936H
Figure 75
, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1 at a high rate, and Router B sends response packets to IP address 2.2.2.1 (Router C).
Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by
mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers
simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a
packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF
considers it a spoofing attack and discards the packet.
323B
uRPF check modes
uRPF supports strict and loose modes.
Strict uRPF check—To pass strict uRPF check, the source address of a packet and the receiving interface
must match the destination address and output interface of a FIB entry. In some scenarios (for example,
asymmetrical routing), strict uRPF might discard valid packets. Strict uRPF is often deployed between a PE
and a CE.
Loose uRPF check—To pass loose uRPF check, the source address of a packet must match the destination
address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets.
Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
324B
uRPF operation
937H
Figure 76
shows how uRPF works.
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches