Overview

Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as DoS and DDoS attacks.

Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers do not receive response packets, they are still disruptive.

As shown in Figure 124, an attacker on Router A sends the server (Router B) requests with a forged source IP address 2.2.2.1. Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently, both Router B and Router C are attacked. URPF can prevent such attacks.

The term "router" in this document refers to both routers and Layer 3 switches.