rpf

Forum|Forum|6 years ago
July 3, 2019
1 reply
3019 views

Hi,

What does it mean by below

The rpf is only carried out on : the first packet in the session , not on a reply The next packet in the original direction after a route change , not on a reply And how to check if there was any spoofing attacks ? Thanks

ede_pfau

SuperUser

When there is no session already, the first packet is examined if there is a valid route to the source network. After that has been approved you don't need to re-check reply traffic or further traffic from that source as there must be a valid route. If there is not, the session will not be established and the packet be dropped.

Same for route changes when there are sessions going on: first packet is used to do the RPF check, session is dropped or continues.

ede_pfau

SuperUser

Spoofing attacks could be found in the logs ("RPF check failed, dropped"). But as they are numerous usually, you don't look for them unless you suspect a false positive (i.e., you want that traffic but it doesn't come through).

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded