Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX

Unicast reverse path filtering is a router/firewall/switch feature that allows ISPs to counteract spoofing attempts.

On Junos, it can be activated per interface and for each incoming packet it will check the source IP against the FIB (Forward Information Base) if the source IP and incoming interface match.

Example of activating reverse path filter on an RVI interface:

Code:

LaR3@samantha# show interfaces vlan.22 | display set 
set interfaces vlan unit 22 family inet rpf-check
set interfaces vlan unit 22 family inet address 10.1.22.1/27

Verifying if RPF is enabled:

Code:

LaR3@samantha# run show interfaces vlan.22 extensive 
  Logical interface vlan.22 (Index 89) (SNMP ifIndex 528) (Generation 154)
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.22 ]  Encapsulation: ENET2
    Bandwidth: 0
    Traffic statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Security: Zone: dmz-zone
    Allowed host-inbound traffic : ping ntp
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     1
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        202918
      Connections established :          1 
    Flow Output statistics: 
      Multicast packets :                0
      Bytes permitted by policy :        213607 
    Flow error statistics (Packets dropped due to): 
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0 
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0       
      No minor session:                  0 
      No more sessions:                  0
      No NAT gate:                       0 
      No route present:                  0 
      No SA for incoming SPI:            0 
      No tunnel found:                   0
      No session for a gate:             0 
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0 
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 162, Route table: 0
      Flags: Sendbcast-pkt-to-re, uRPF  
      RPF Failures: Packets: 0, Bytes: 0       --> ENABLED
      Input Filters: classify-dmz-traffic
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.1.22.0/27, Local: 10.1.22.1, Broadcast: 10.1.22.31, Generation: 162

So my SRX expects 10.1.22.0/27 sourced packets on vlan.22 interface.

What will happen with an IP sourced from 192.168.1.2 for example ?... Let's check:

Code:

LaR3@samantha# run show route forwarding-table destination 192.168.1.2 
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
192.168.1.0/24     intf     0                    rslv   596     1 vlan.8

So Junos expects 192.168.1.0/24 sourced packets on vlan.8 interface, not on vlan.22. Let's see what happens if I send such a packet on the network to SRX:

Code:

LaR3@samantha# run show interfaces vlan.22 extensive | match rpf                             
      Flags: Sendbcast-pkt-to-re, uRPF
      RPF Failures: Packets: 1, Bytes: 40

So the TCP SYN packet was dropped and logged to interface counters.

What if we want to see more details on what customers are spoofing the most ?

Well, you can apply a firewall filter to those packets that fail the RPF check (spoofed):

Code:

LaR3@samantha# show interfaces vlan.22 | display set 
set interfaces vlan unit 22 family inet rpf-check fail-filter log-rpf
set interfaces vlan unit 22 family inet address 10.1.22.1/27

[edit]
LaR3@samantha# show firewall filter log-rpf 
term 0 {
    then log;
}

The "log-rpf" filter will be applied to all packets failing the rpf check (spoofed). To verify this:

Code:

LaR3@samantha# run show firewall log detail interface vlan.22 
Time of Log: 2013-02-01 15:58:46 UTC, Filter: pfe, Filter action: accept, Name of interface: vlan.22
Name of protocol: TCP, Packet Length: 40, Source address: 192.168.1.2:46017, Destination address: 8.8.8.8:61510
Time of Log: 2013-02-01 15:58:27 UTC, Filter: pfe, Filter action: accept, Name of interface: vlan.22
Name of protocol: TCP, Packet Length: 40, Source address: 10.1.23.2:33204, Destination address: 8.8.8.8:53546

Note, that applying above firewall filter to rpf fail packets will allow those packets, so if you want them dropped, set the correct action in the filter.

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX

Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX