I've configured ip ip verify unicast reverse-path on a Cisco 2611 running 12.3(26) code. ip cef is enabled globally but turned off using the no ip route-cache cef command on all interfaces except the WAN facing interface (serial 0/0).
description connected to internet
ip address 100.100.20.10 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip route-cache flow
no ip mroute-cache
no cdp enable
Whenever I reload the router, it works for a while, then quits working. The show ip traffic counter for unicast rpf drops quits climbing after a few minutes and stays where it stopped.
Rcvd: 35015 total, 346 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 17 not a gateway
0 security failures, 0 bad options, 0 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 fragments, 0 couldn't fragment
Bcast: 6 received, 0 sent
Mcast: 0 received, 0 sent
Sent: 265 generated, 23074 forwarded
Drop: 1 encapsulation failed, 0 unresolved, 0 no adjacency
120 no route, 467 unicast RPF, 0 forced drop
0 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
Can anyone think of a reason it works for a few seconds after bootup then stops?
I took out the ip route-cache flow statement thinking that was the problem, but still no change in the counter so far.
There are multiple ways you can use to achieve the same goal, some examples are:
> Policy Based Routing + ACLs (Two interfaces, marking on one, dropping via ACL)
> MPF 'drop' keyword
> Black Hole Routing (Routes to Null 0)
Each method has its pros and cons, ACLs and Static routes are difficult to maintain and operate. ACLs with the 'log' keyword are process switched, making them slow.
Black hole routing works by sending spoofed traffic (hitting the bogons) to Null0, since Null0 is a direct adjacency (Sort-of interface) of all CEF-enabled routers, this is relatively faster.
uRPF is commonly used with Remotely Triggered Blackhole routing (RTBH). For example one manages a large organization with multiple entry points into the network. Now you know your network is under a DoS attack from Source 220.127.116.11/24, with RTBH, all edge routers have uRPF enabled, and there is an internal router known as a 'Trigger Router'. You could inject a route into your IGP domain, something like:
ip route 18.104.22.168 255.255.255.0 null0 tag 255
And then all your edge routers would receive this route and with the help of uRPF drop all packets 'sourced' from the attacker network. The process is a little more complicated than this, but I hope you get the idea.