Overview of URPF
This section describes the definition and objective of URPF.
Definition
Unicast Reverse Path Forwarding (URPF) is used to prevent the source address spoofing attack.
Generally, upon receiving a packet, the FW first obtains the destination IP address of the packet and then searches the forwarding table for the route to the destination. If the router finds such a route, it forwards the packet; otherwise, it discards the packet. URPF (Strict mode), however, obtains the source IP address and the inbound interface of the packet and checks whether the inbound interface corresponding to the source IP address in the forwarding table matches the actual inbound interface of the packet. If they do not match, URPF considers the source IP address as a pseudo address, and discards the packet. In this way, URPF can effectively protect against malicious attacks that are launched by changing source addresses of packets.
Objective
Network attacks based on source address spoofing have become a common form of attacks across the Internet. You can use URPF on inbound interfaces of the FW to protect a network from the source address spoofing attack.
As shown in Figure 1, PC_A sends a packet with a pseudo source address 10.2.2.2 to the server. After receiving the packet, the server sends a response packet to PC_B whose IP address is 10.2.2.2. As a result, both PC_B and the Server are attacked by illegal packets sent from PC_A.
Denial of Service (DoS) attack occurs when there are a large number of pseudo packets, and this greatly affects the network security.
As shown in Figure 2, after URPF is enabled on sysname_A, the pseudo packets sent by PC_A are directly discarded by sysname_A, and packets from PC_B are forwarded normally.
