On Mon, Oct 6, 2025 at 10:14 AM Tom Beecher via NANOG <[email protected]>
wrote:
> On a quick first read, this seems like very much one of those things that
> is theoretically possible, but highly implausible in the real word.
>
> 1. This would be a lot of money for an attacker to spend, connecting to 3
> specific ASNs, just to slow down convergence.
>
To be fair, in Appendix A, the authors point out that the same effect can
be had through downstream connections, so long as the upstream network
isn't filtering BGP communities. So, you can get the same effect by buying
a single BGP connection to a 4th, tier 2 network, so long as the upstream
you've chosen a) doesn't strip BGP communities inbound from customers,
b) doesn't strip BGP communities before propagating routes upstream, and
c) connects to a trio of ASNs that are mutual peers of each other.
So, I could trigger this via a simple downstream BGP adjacency through
cogent,
for example, for relatively little money.
>
> 3. p3620, 5.1 Experiment Infrastructure
>
> Their virtualized test setup is many orders of magnitude less powerful than
> the actual hardware run by the ASNs that would theoretically be
> susceptible to this. The software run on this hardware is also WAY more
> optimized than FRR and BIRD are , especially at massive BGP scale that they
> run.
>
> 4. p3622, 5.3 BGP Vortices Delay Network Convergence, Methodology
>
> This methodology is bad. "I wanted X seconds to see" is meaningless. In a
> controlled environment, you can set things up to see exactly how long
> convergence takes. You don't need to handwave it.
>
> The real DFZ sees almost constant update splashing and oscillations similar
> to this 24/7/365, none of it malicious. And it has for years.
>
>
I had to chuckle at this part:
p 3620 Discussion. To put the results above in perspective, a recent report
[28] shows that, in 2024, the APNIC R&D Center AS (AS 131072) received
around 200000 BGP updates per day, or 2.3 per second.7 Thus, the fact that
a single BGP Vortex attack, based only on 21 ASes, can induce tens of
thousands of updates per period highlights the potential impact a BGP
Vortex attack can have on the global routing system. Clearly, then, the
practical impact of the abstract results described above depends on many
factors, but most importantly:
Yes, on a typical boring day on the Internet, that's about right.
However, taking that rate as though it's indicative of what core routers
can *handle*
is laughable.
Flap a transit adjacency, and your router is going to be processing 1M+ BGP
update
messages hopefully in a small number of minutes. If my core routers can't
deal
with at least 200,000 BGP updates a minute, I'm going to be in a world of
hurt
every time an upstream neighbor session drops and re-establishes.
Likewise, on page 3625, the paper says:
p 3625 Rexford et al. [43] and Labovitz et al. [31] showed that while
routes to popular destinations tend to be stable over time, network changes
can trigger convergence delays lasting tens of minutes.
The two studies cited were performed in 2000, and 2002, a quarter of a
century ago.
I will confess, I'm still using network hardware from that era...in my home
network.
Any network connecting to the BGP core of the internet that's running
hardware from
that era...may ${diety} have mercy on your CPU cores. ^_^;
While this is an interesting demonstration of something we've all had a
gut-level
understanding probably takes place all the time due to inconsistent
policies and
unintentional overlooking of implementation details between peers, there
are
simpler ways to attack the DFZ core with more devastating impact.
The amount of sleep I'd be losing worrying about this is negligible.
Of course, that needs to be understood in the context of just how little
sleep I tend to get in general. ^_^;
Thanks!
Matt
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/MCZZYZI6B3AIQCSHIH5FMEJQTZWPY2TY/
