Shulou(Shulou.com)06/01 Report--

This article focuses on "what is the role of rp_filter parameters", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what is the function of rp_filter parameters"?

Introduction of rp_filter parameters

The rp_filter parameter is used to control whether the system turns on checking the source address of the packet. First, take a look at the description in the Linux kernel document documentation/networking/ip-sysctl.txt:

Rp_filter-INTEGER

0-No source validation.

1-Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.

2-Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.

The max value from conf/ {all,interface} / rp_filter is used when doing source validation on the {interface}.

Default value is 0. Note that some distributions enable it in startup scripts.

That is, the rp_filter parameter has three values: 0, 1, 2, which means: 0: source address verification is not enabled. 1: enable strict reverse path verification. For each incoming packet, verify that its reverse path is the best path. If the reverse path is not the best path, the packet is discarded directly. 2: turn on loose reverse path check. For each incoming packet, verify whether its source address is reachable, that is, whether the reverse path can be reached (through any network port). If the reverse path is different, the packet is discarded directly. For more information about rp_filter, please refer to this post.

Solution: 1. Modify the routing table to make the response packet out of the eth2, that is, to ensure that the network card requesting the packet in and the network card out of the response packet are the same network card.

two。 Turn off the rp_filter parameter. (note that the parameters of all and default should be changed.)

1) modify the / etc/sysctl.conf file, and then sysctl-p flush to memory.

2) use sysctl-w to write directly to memory: sysctl-w net.ipv4.conf.all.rp_filter=0

3) modify / proc file system: echo "0" > / proc/sys/net/ipv4/conf/all/rp_filter

The function of enabling the rp_filter parameter

Reduce the reverse path of the DDoS attack check packet, if the reverse path is not suitable, then directly discard the packet to avoid too many invalid connections to consume system resources.

Prevent IP Spoofing from verifying the reverse path of the packet. If the reverse path corresponding to the source IP address forged by the client is not in the routing table, or if the reverse path is not the best path, the packet will be discarded directly and will not reply to the client that forged IP.

Ps: two common illegal attacks:

DDos attack (Distribute Deny of Service) distributed denial of service attack. By constructing a large number of useless packets to initiate requests to the target service, it occupies a lot of resources of the target service host, and may also cause network congestion, thus affecting the access of normal users.

IP Spoofing (IP spoofing) IP Spoofing means that a client communicates with the target service by impersonating the source IP and pretending to be another client, so as to achieve some hidden secrets.

At this point, I believe that you have a deeper understanding of "what is the role of rp_filter parameters", might as well come to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.