Understanding Loose uRPF for preventing spoof attacks

Hi Team,

I've been thinking about uRPF for preventing spoof attacks and so far
this is what I understand:

When strict uRPF is in use, the incoming packets are checked against
the routing table and there must be an exact match [network, outgoing
interface] in it in order for the packet to be forwarded, otherwise it
is dropped.
When loose uRPF is in use, the routing table is only checked for
routes pointing to the source network of the incoming packets, but a
check on the incoming interface is not enforced.

So given the above facts strict uRPF is very well suited for
preventing spoof attacks when the offending packets have an spoofed IP
address in any network that is not in the routing table, as well as
internal networks; however, I can see that loose uRPF fails to prevent
spoof attacks when the offending packets have an spoofed IP address in
the internal network, since the routers have routes for the internal
networks and there is no check enforced on the incoming interface, is
my understanding correct?

If we have a multihomed topology where the traffic flows are
asymmetric and we are asked to prevent spoof attacks with IP addresses
in the internal network, what would be the way to accomplish this? The
simplest solution that comes to my mind would be applying ingress
access lists denying packets with source ip address from the internal
network on the interfaces facing the external network, but I would
like to expand the possibilities.

Thanks,
Jorge

Blogs and organic groups at http://www.ccie.net
Received on Mon May 10 2010 - 10:42:35 ART