Configuring Reverse Path Forwarding
Crafted sequences of TCP/IP packets may allow a remote attacker to create a denial of service (DoS) condition on routing engines (REs) running Junos OS. The attack requires a successfully established two-way TCP connection to an open port. The rate of attack traffic is lower than typical thresholds for built-in Junos OS distributed denial-of-service (DDoS) protection, so additional configuration is required to defend against these issues.
To protect against DoS attacks such as SegmentStack, unicast reverse path forwarding (RPF) should be configured. Unicast RPF helps determine the source of attacks and rejects packets from unexpected source addresses on interfaces where unicast RPF is enabled.
To configure unicast RPF,, use the rpf-check statement, which can be included at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number family (inet | inet6)]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family (inet | inet6)]