Spoof Detection or Unicast RPF

Unicast Reverse Path Forwarding (URPF) forces the PIX to examine all packets received as input on an interface to make sure that:

• The source address and source interface appear in the routing table.

• The return path for the source IP address is through the same interface on which the packet was received.

URPF checks to see if any packet received at the PIX's interface arrives on the best return path (return route) to the packet's source. If the packet was received on an interface which happens to be the interface in the best reverse-path route, the packet is forwarded as

P Header normal. If there is no reverse-path route on the same interface from which the packet was received, this might mean that the source address was modified or spoofed. Also if URPF simply does not find a reverse path for the packet, the packet is dropped.

URPF in PIX is implemented as follows:

• ICMP packets that have no session have each of their packets checked by URPF.

• UDP and TCP have sessions, so the initial packet requires a reverse-route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Noninitial packets are checked to ensure that they arrive on the same interface used by the initial packet.

For URPF to work correctly, the PIX needs to have a route to the source IP address. If that route does not exist, there is no way for the PIX to verify that the packet was received from a source that does not have the right to send packets with that specific source IP address. Therefore, before using this command, you should add a static route command for every network that can be accessed on the interfaces you want to protect or you should set up proper RIP routing to gather this information. This command should be enabled only if routing is fully specified. PIX Firewall stops traffic on the interface specified if routing is not in place.

Figure 8-8 shows how URPF works on the PIX Firewall.

Figure 8-8 URPF Feature in PIX

Packet Arrives at PIX Inside Interface From 10.1.1.1.

Route Inside 10.0.0.0 255.0.0.0

Packet Arrives at PIX Inside Interface From 10.1.1.1.

PIX Has a Return Route To it Through the Interface on (2 Which the Packet Was Received. PIX Allows the Packet To Be Processes Further.

©Packet Arrives at the Inside Interface With a Source Address of 160.1.1.1 (Spoofed).

®PIX Drops the Packet Since the Best Path to 160.1.1.1 Is Through Its Outside Interface and Not the Inside Interface.

0 0

Post a comment