Unicast Reverse Path Forwarding (uRPF)

Dynamic Spoof Prevention Based on the Routing Table:

Attack Scenario

uRPF Modes:
- Strict  (rx)
- Loose   (any)

Options:
- Allow self ping 
- Allow default route
- ACL

! Configure Lo Interface with fake Address
R2(config)#in lo 0
R2(config-if)#ip address 23.1.0.3 255.255.255.255

! Create Access-List
R1(config)#access-list 123 deny ip any any log-input
* Note : log-input  gives more information about each event

! Configure uRPF on Fas 0/0 , Use ACL
R1(config)#in fas 0/0
R1(config-if)#ip verify unicast source reachable-via rx allow-default 123

* Note :
rx  = Strict 
any = Loose 

! Make ping to Test uRPF
R2#ping 10.1.0.26 source lo 0 repeat 10

! R1 generate some log massages 
*Aug  4 19:06:17.491: %SEC-6-IPACCESSLOGDP: list 123 denied icmp 23.1.0.3 (FastEthernet0/0 ca00.0a5c.001c) -> 10.1.0.26 (0/0), 1 packet
*Aug  4 19:11:52.119: %SEC-6-IPACCESSLOGDP: list 123 denied icmp 23.1.0.3 (FastEthernet0/0 ca00.0a5c.001c) -> 10.1.0.26 (0/0), 9 packets

R1#show ip interface fastEthernet 0/0 | begin IP verify
  IP verify source reachable-via RX, allow default, ACL 123
  10 verification drops
  0 suppressed verification drops