bgp hints - internet routing news, hints and tips

Posted: 2003-10-26

Category: General

Block unwanted traffic with unicast reverse path filters

Denial-of-Service (Dos) attacks often use spoofed source addresses. One way to minimize the effect of spoofed addresses is to use bogon address filtering, as described in an earlier article. In addition, it is a good idea to employ ingress filtering as described in RFC 2827 (BCP 38).

The basic idea behind ingress filtering is to ensure that only traffic with known good source addresses is accepted at all entry points into the network. One method to do this is to configure an explicit packet filter on each ingress interface. These filters need to be kept up to date to ensure no legitimate traffic is blocked.

A more effective method is to use unicast reverse path filters (uRPF). uRPF uses the routing table to determine whether a source address is acceptable: a packet is accepted if the route to the source of the packet (the reverse path) points to the interface the packet came in on. If not, the packet is considered spoofed and rejected.

To enable uRPF checking, on Juniper routers, one specifies the statement "rpf-check" for the appropriate interface(s). On Cisco, the statement to include in the interface definition is "ip verify unicast reverse-path".

At the edge of the network, where customers are attached, this is fairly straightforward. Enabling uRPF there ensures customers can only use the source addresses they are supposed to use.

However, when enabling uRPF on transit or peering interfaces, one should be careful of asymmetric routes. There are a few ways to handle this. First, one can use loose mode uRPF, which is supported by both Juniper and Cisco. In this case, all that counts is whether a route exists to the source address of a packet, it does not necessarily have to point to the ingress interface. Whether to use strict or loose mode uRPF checking can be specified per interface.

Alternatively, on Juniper routers one can use the "feasible-paths" option which also allows routes that have been received (by BGP or another routing protocol) for that interface, but not selected as the active route. On Cisco routers, one can use the Cisco-specific weight attribute to locally prefer the external route without giving it a high preference in the rest of the network.

Additionally, it is also possible to specify an exception access list which is evaluated in case a packet fails the uRPF check. That can be used to explicitly accept or reject known good or bad addresses.

If you have any questions or comments regarding this article, please contact bgp@ruud.org.