Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX/J/EX/M/MX/T] How to mitigate address-spoofing Denial-of-Service (DoS) attacks using Unicast Reverse-Path Forwarding(RPF)



Article ID: KB27278 KB Last Updated: 29 Apr 2013Version: 1.0
This article discusses the method to deny requests for illegitimate spoofed connections from a source by implementing Unicast Reverse-Path Forwarding.

In address spoofing DoS attacks, an intruder floods its target with packets that contain a spoofed source address, essentially impersonating another system's IP address.The flooding results in a DoS at the target, and because the source address is spoofed, the true source of the traffic is difficult to trace.
Consider a scenario in which the spoofed packets are entering through ge-0/0/0 interface of the device.
The resource which is being tried to be compromised is connected to the LAN interface.

Unicast RPF check performs a route table lookup on an IP packet’s source address,
and checks the incoming interface.
The router determines whether the packet is arriving from a path that the sender would use to reach the destination.
If the packet is from a valid path, the router forwards the packet to the destination address.
If it is not from a valid path, the router discards the packet.

Implementing basic unicast RPF is a two step procedure :

1) Enable RPF on the device with the unicast-reverse-path statement in the [edit routing-options] hierarchy,

    Option 1: Active-Paths
     [edit routing-options]
     SRX-3# set forwarding-table unicast-reverse-path active-paths

    With the active-paths option, unicast RPF considers all active routes in the routing table when checking how to reach the source address in the packet.

   Option 2: Feasible-paths
          [edit routing-options]
     SRX-3# set forwarding-table unicast-reverse-path feasible-paths

    Wiith the feasible-paths option, unicast RPF considers both active and non-active routes for how to reach the source address in the packet.

2) Select the interfaces on which to run unicast RPF,

  [edit interfaces ge-0/0/0 unit 0 family inet]
  SRX-3# set rpf-check

By default, unicast RPF uses strict mode, which checks a route for the prefix in the the source IP address of the packet,
and if the interface is same through which the packet entered the device.

The other mode is "loose" in which only route for the source prefix is checked,

  [edit interfaces ge-0/0/0 unit 0 family inet]
  SRX-3# set rpf-check mode loose


When incoming packet fails the unicast RPF check, the packet is not accepted on the interface.
When a packet is not accepted on an interface,it is sent to an optional fail filter.
If the fail filter is not configured, the default action is to silently discard the packet.

In case of DoS attack , since all the packets are considered illegitimate the fail filter can be configured to count and reject them,

[edit firewall]
SRX-3# set filter rpf-filter term default then count rpf-failed-count
SRX-3# set filter rpf-filter term default then reject

Applying the filter to RPF,

[edit interfaces ge-0/0/0 ]
SRX-3# set unit 0 family inet rpf-check fail-filter rpf-filter

Verification :

SRX-3#run show interfaces ge-0/0/0.0 extensive | match RPF
Flags: Sendbcast-pkt-to-re, Is-Primary, uRPF
RPF Failures: Packets: 132, Bytes: 8548            

SRX-3> show firewall

Filter: __default_bpdu_filter__

Filter: rpf-filter
Name Bytes Packets
rpf-failed-count 8548 132


The fail filter can also be configured to accept the packets which fail the RPF check.
Unicast RPF filters are not part of the normal firewall filter on an interface but are handled separately.
They are evaluated after input filters and before output filters.
Unicast RPF looks only in the inet.0 routing table for IPv4 packets and the inet6.0 table for IPv6 packets,
so if an interface's input filter forwards packets to a different routing table, the unicast RPF check is not performed.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search