O uRPF permitir analisar a Source IP do pacote e decidir se faz forwading ou Drop do mesmo com base no método definido. Esta funcionalidade permite limitar o DDoS com base em Spoof Address. Para examinar o Source IP dos pacotes no incoming interface ativa-se o Reverse-Path-Forwarding (uRPF) através do comando ip verify unicast source reachable-via { rx | any } [allow-default] [allow-self-ping] [ list] ( O CEF deverá estar ativo para o uRPF funcionar).
Os pacotes podem ser examinados de 2 formas:
- Strict RPF – Usando o parâmetro rx, o router verifica através do rouitng se a interface de outgoing será a mesma por onde foram recebidos os pacotes. Caso crontrário os pacotes são descartados.
- Loose RPF — Usando o parâmetro any, o router verifica de existe alguma rota que seja possível usar para chegar ao source IP.
O comando ignora a default route quando efetua a análise (by default), para incluir a default route na análise deve ser incluido o parâmetro allow-default.
Uma das preocupações podem ser os flows assimétricos , aquando da implementação desta feature, o Loose mode e uma opção escalável para redes com asymmetric routing paths.
Exemplos:
Ligações:
(192.168.10.0/24)R2-f0/1——-f0/0-R3(spoof-address Loop10)
Exemplo 1:
Spoofing Address Source 192.168.10.0/24
R2(config)#
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.20.2 255.255.255.0
ip verify unicast source reachable-via rx
!
ip route 0.0.0.0 0.0.0.0 192.168.20.1
R3(config)#
ip route 0.0.0.0 0.0.0.0 192.168.20.2
interface loop10
desc spoof address
ip address 192.168.10.1 255.255.255.0
interface loop11
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
R3(config)#do ping 10.10.10.10 source loop10 rep 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
..
Success rate is 0 percent (0/2)
R2#sh ip traffic
IP statistics:
…
Drop: 1982 encapsulation failed, 0 unresolved, 0 no adjacency
9 no route, 2 unicast RPF, 0 forced drop
0 options denied
…
R2#sh ip int f0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
…
IP verify source reachable-via RX
2 verification drops
…
Exemplo 2:
Excluir redes do uRPF check usando uma ACL
R2(config)#
access-list 10 permit 1.1.1.0 0.0.0.255
interface FastEthernet0/1
no ip verify unicast source reachable-via rx
ip verify unicast source reachable-via rx 10
R3(config)#
no interface loopback10
R3(config)#do ping 192.168.10.1 source loop11 rep 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 30/40/49 ms
Exemplo 3:
Permitir que as qualquer source (default route) seja permitida nos check dos uRPF
R3(config)#
interface FastEthernet0/1
no ip verify unicast source reachable-via rx 10
ip verify unicast source reachable-via rx
R3(config)#do ping 192.168.10.1 source loop11 rep 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
..
Success rate is 0 percent (0/2)
!Permitir o Default Route no uRPF, caso nao exista nenhuma rota especifica
R2(config)#
interface FastEthernet0/1
ip verify unicast source reachable-via rx allow-default
R3(config)#do ping 192.168.10.1 source loop11 rep 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 40/46/52 ms
R2#sh ip int f0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
…
IP verify source reachable-via RX, allow default
4 verification drops
…