Routing

Expand all | Collapse all

Why does source RTBH need uRPF?

Jump to Best Answer
  • 1.  Why does source RTBH need uRPF?

    Posted 05-02-2018 01:40

    Hello, 

     

    I'm trying to understand why source-address RTBH needs to be coupled with configuring uRPF on the edge ports.

     

    I've read RFC5635 and other vendor papers on this topics but I can't figure out the reason, perhaps I'm missing something obvious.

     

    Why would S/RTBH not work without uRPF? The trigger router would advertise the source-address that needs to be blocked with a specific "evil" community and based on this community the edge routers would install a next-hop of discard. So the source-address would be blocked anyway, so why the need for uRPF?

     

    Many thanks,

    Cristian


    #urpf
    #rtbh
    #BGP


  • 2.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 02:52
    Just a thought..

    Maybe to make sure that it’s not the rouge router who is advertising the attach source?

    Perhaps, using uRPF you can make sure that it’s not a spoof attack/advertisement?


  • 3.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 02:59

    But even if it's a spoofed IP address traffic from that source will be discarded anyway, since all the edge routes will have a discard route for it. Right?



  • 4.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 03:13

     

    I am not sure if i understood your quetion.

     

    but When i say source, i meant the source of the packet in which the attack-prefix is advertised.

     

    please refer to section 4.

    https://tools.ietf.org/html/rfc5635#page-7

     

     



  • 5.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 03:26

    Hi KIngsman, thanks for trying to clarify this. 

     

    As stated in my initial message, I've already consulted the RFC. 

     

    Let's use a particular example. Let's say that an ISP identifies that a DDoS attack is being generated from a particular IP address somewhere on the internet (let's use 8.8.8.8 for the simplicity of the example). With S/RTBH, a trigger router will create a static route for 8.8.8.8/32 and the edge routers that belong to this ISP will install this route with a next-hop of discard. 


    Therefore, my point is that with or without uRPF, traffic entering the ISP from that IP address (spoofed or not) will anyway be discarded. So why the need for uRPF?

     

     

     



  • 6.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 03:37
    The route then will be advertised to all the other edge routers in the ISP network.

    Source: Chapter 1 BGP FLowSpec DayOne guide.

    the service provider prepares their network by putting a static discard route in each of their routers as well as unicast Remote Path Forwarding (uRPF) on each of their interfaces before an attack takes place. Once an attack is launched, the enterprise customer contacts the service provider and asks them to block the attack. The service provider NOC then creates a discard route for the source of the attack. This route is advertised from the service provider’s router to all of their edge routers and rewrites the next hop to the pre-staged discard route. This allows the attack victim to still be reachable from all sources except the one that is being blocked. However, this method only works for a small number of sources and is not t for a truly distributed attack.
    uRPF could be used there I guess,


  • 7.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 03:49

    Yeah, thanks, I guess the uRPF is there to prevent IP spoofing from happening in the first place. 



  • 8.  RE: Why does source RTBH need uRPF?
    Best Answer

    Posted 05-02-2018 03:54
    Yeah, but with RTBH it’s used because


    the routing is Always destination based. we need mechanism to route the traffic based on source.



    When the discard route is redistributed to all the other PE router's in the network, they will install the router for the source in the routing-table pointing to discard interface/entry.



    When any PE receive the traffic from the attacker, the uRPF check will happen and since the Router has the discard route for the source, the uRPF will fail and traffic will be dropped.



    Now you can imagine, what if the uRPF is not configured??



    That’s why we call it source based RTBH


  • 9.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 04:00

    You're right, Kingsman, thanks. Without uRPF malicious traffic would still reach the victim(s). 



  • 10.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 04:20

    Hello,


    @Kingsman wrote:

    Now you can imagine, what if the uRPF is not configured??





    There is a way to do source RTBH without uRPF.

    A precursor to uRPF, called SCU is used instead.

    I did the design and proof of concept for a customer of mine but it did not go through unfortunately 😞

    HTH

    Thx

    Alex



  • 11.  RE: Why does source RTBH need uRPF?

    Posted 05-02-2018 04:32

     

     

    I didn't know that... Thank you for the information 🙂