14-Security Configuration Guide

HomeSupportSwitchesS12500R SeriesConfigure & DeployConfiguration GuidesH3C S12500R Switch Router Series Configuration Guides(R51xx)-6W10114-Security Configuration Guide
12-uRPF configuration
Title Size Download
12-uRPF configuration 85.18 KB

Configuring uRPF

About uRPF

Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.

uRPF application scenario

Attackers send packets with a forged source address to access a system that uses IPv4-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

Figure 1 Source address spoofing attack

As shown in Figure 1, an attacker on Device A sends the server (Device B) requests with a forged source IP address 2.2.2.1 at a high rate. Device B sends response packets to IP address 2.2.2.1 (Device C). Consequently, both Device B and Device C are attacked. If the administrator disconnects Device C by mistake, the network service is interrupted.

Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.

uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.

uRPF check modes

uRPF supports strict and loose modes.

Strict uRPF check

To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets.

Strict uRPF is often deployed between a PE and a CE.

Loose uRPF check

To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets.

Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.

Network application

As shown in Figure 2, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs.

Figure 2 Network diagram

Restrictions and guidelines: uRPF configuration

If you enable uRPF on an interface, you can use the display ip interface command to display statistics about packets discarded by uRPF (displayed as "Drops" and "Suppressed drops"). If you enable uRPF globally, the system does not provide statistics about packets discarded by uRPF.

If you configure uRPF globally and on an interface, the interface preferentially uses the interface-specific settings.

Enabling uRPF globally

Restrictions and guidelines

Global uRPF takes effect on all interfaces of the device.

Procedure

1.     Enter system view.

system-view

2.     Enable uRPF globally.

ip urpf { loose | strict }

By default, uRPF is disabled.

Enabling uRPF on an interface

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable uRPF.

ip urpf { loose | strict }

By default, uRPF is disabled.

Verifying and maintaining uRPF

To display uRPF configuration, execute the following command in any view:

display ip urpf [ interface interface-type interface-number ] [ slot slot-number ]

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网