Overview of URPF
A Denial of Service (DoS) attack disables users from connecting to the server. DoS attacks aim to occupy excess resources by sending a large number of connection requests. As a result, authorized users cannot receive responses from the server.
Unicast Reverse Path Forwarding (URPF) check enables the device to check the source Internet Protocol (IP) address in the Forwarding Information Base (FIB) table against the inbound interface of the packet. If the source IP address does not match the inbound interface of the packet, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.
As shown in Figure 15-1, a bogus packet with source IP address 2.1.1.1 is sent from SwitchA to SwitchB. After receiving the bogus packet, SwitchB sends a response packet to the actual destination device SwitchC at 2.1.1.1. SwitchB and SwitchC are attacked by the bogus packets.
If URPF strict check is enabled on SwitchB, when SwitchB receives the bogus packet with source IP address 2.1.1.1, URPF discards the packet because the inbound interface of the source IP address is not the interface that receives the packet.