Инструкции По Установке для 3com S7906E

 

1-1 

When configuring URPF, go to these sections for information you are interested in: 

z 

z 

 

The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. 

 

Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks. 

Attackers launch attacks by creating a series of packets with forged source addresses. For applications 

using IP-address-based authentication, this type of attacks allows unauthorized users to access the 

system in the name of authorized users, or even access the system as the administrator. Even if the 

attackers cannot receive any response packets, the attacks are still disruptive to the attacked target. 

Figure 1-1 Attack based on source address spoofing 

 

 

As shown in 

, Router A originates a request to the server (Router B) by sending a packet with 

a forged source IP address of 2.2.2.1/8, and Router B sends a packet to Router C at 2.2.2.1/8 in 

response to the request. Consequently, both Router B and Router C are attacked. 

URPF can prevent source address spoofing attacks. 

URPF provides two check modes: strict and loose. In addition, it supports ACL check, link layer check, 

and default route check. 

URPF works as follows: 

1)  First, URPF checks the source address validity, and then: 

z 

Discards packets with broadcast source addresses.