On Mon, Oct 6, 2025 at 10:14 AM Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
On a quick first read, this seems like very much one of those things that is theoretically possible, but highly implausible in the real word.
1. This would be a lot of money for an attacker to spend, connecting to 3 specific ASNs, just to slow down convergence.
To be fair, in Appendix A, the authors point out that the same effect can be had through downstream connections, so long as the upstream network isn't filtering BGP communities. So, you can get the same effect by buying a single BGP connection to a 4th, tier 2 network, so long as the upstream you've chosen a) doesn't strip BGP communities inbound from customers, b) doesn't strip BGP communities before propagating routes upstream, and c) connects to a trio of ASNs that are mutual peers of each other. So, I could trigger this via a simple downstream BGP adjacency through cogent, for example, for relatively little money.
3. p3620, 5.1 Experiment Infrastructure
Their virtualized test setup is many orders of magnitude less powerful than the actual hardware run by the ASNs that would theoretically be susceptible to this. The software run on this hardware is also WAY more optimized than FRR and BIRD are , especially at massive BGP scale that they run.
4. p3622, 5.3 BGP Vortices Delay Network Convergence, Methodology
This methodology is bad. "I wanted X seconds to see" is meaningless. In a controlled environment, you can set things up to see exactly how long convergence takes. You don't need to handwave it.
The real DFZ sees almost constant update splashing and oscillations similar to this 24/7/365, none of it malicious. And it has for years.
I had to chuckle at this part: p 3620 Discussion. To put the results above in perspective, a recent report [28] shows that, in 2024, the APNIC R&D Center AS (AS 131072) received around 200000 BGP updates per day, or 2.3 per second.7 Thus, the fact that a single BGP Vortex attack, based only on 21 ASes, can induce tens of thousands of updates per period highlights the potential impact a BGP Vortex attack can have on the global routing system. Clearly, then, the practical impact of the abstract results described above depends on many factors, but most importantly: Yes, on a typical boring day on the Internet, that's about right. However, taking that rate as though it's indicative of what core routers can *handle* is laughable. Flap a transit adjacency, and your router is going to be processing 1M+ BGP update messages hopefully in a small number of minutes. If my core routers can't deal with at least 200,000 BGP updates a minute, I'm going to be in a world of hurt every time an upstream neighbor session drops and re-establishes. Likewise, on page 3625, the paper says: p 3625 Rexford et al. [43] and Labovitz et al. [31] showed that while routes to popular destinations tend to be stable over time, network changes can trigger convergence delays lasting tens of minutes. The two studies cited were performed in 2000, and 2002, a quarter of a century ago. I will confess, I'm still using network hardware from that era...in my home network. Any network connecting to the BGP core of the internet that's running hardware from that era...may ${diety} have mercy on your CPU cores. ^_^; While this is an interesting demonstration of something we've all had a gut-level understanding probably takes place all the time due to inconsistent policies and unintentional overlooking of implementation details between peers, there are simpler ways to attack the DFZ core with more devastating impact. The amount of sleep I'd be losing worrying about this is negligible. Of course, that needs to be understood in the context of just how little sleep I tend to get in general. ^_^; Thanks! Matt