- A BGP Vortex exploits widely used routing policies to trigger persistent oscillations between major Internet networks that can lead to Internet outages.
- 21/30 largest networks are susceptible to BGP Vortex attacks; a coordinated attack could impact 96% of all Internet networks.
- This exploit is enabled by BGP’s inherent lack of stability guarantees and ASes that support routing policies violating the BGP stability rules.
The Internet depends on the Border Gateway Protocol (BGP), a protocol designed over 30 years ago to route traffic between networks. Despite its importance, BGP lacks modern security and stability mechanisms, making it difficult to configure and therefore susceptible to instability, outages, and attacks.
My colleagues and I presented a new vulnerability, BGP Vortex, at USENIX Security 2025, which can flood the Internet with BGP messages, causing large-scale routing disruptions. A BGP Vortex can be triggered unintentionally or exploited maliciously as a denial-of-service (DoS) attack.
How BGP Connects the Internet
The Internet comprises numerous large, independent networks, collectively known as autonomous systems (AS). BGP connects these ASes, enabling them to communicate and exchange routing information. Without BGP, the Internet would be fragmented, meaning hosts in one AS could not reach hosts in another.
BGP exchanges “routes” consisting of the IP addresses to be routed, the AS path (sequence of ASes traffic must traverse to reach the IPs), and additional metadata. When an AS receives a new BGP route, it checks if the new route is preferred over the current route to the destination. If so, the AS adopts the new route, adds itself to the AS path, and then shares it with some of its neighboring ASes.
A fundamental problem of BGP is so-called “route oscillations,” where ASes continuously switch between routes for the same IP prefixes. This strains a router’s CPU and can result in loss of connectivity for parts of the network. Previous research has shown that oscillations can be prevented if ASes follow specific routing rules.
However, our research shows how indefinite route oscillations can be created (BGP Vortex) by exploiting two widely used BGP policies:
- lowering preference of certain routes (“local preference lowering”), and
- blocking ASes from receiving certain routes (“selective NOPEER”).
Note: These routing rules prevent route oscillations when ASes closely follow them. However, the local preference lowering policy can cause ASes to install routes they would otherwise reject (priority inversion), thereby violating these rules. This is one of the fundamental mechanisms that enable a BGP Vortex.
BGP Vortices Threaten Internet Stability
By exploiting priority inversion and selective blocking of ASes, an adversary can trigger a BGP Vortex with just three BGP-compliant route advertisements, making this an attractive DoS vector.
As part of our study, we analyzed the susceptibility of ASes to BGP Vortex and measured their impact in lab experiments. Using publicly available data, we found that 21 of the 30 largest ASes support the two vulnerable BGP policies.
Since these are the Internet’s largest and best-connected ASes, triggering all identified vortices would create a BGP route advertisement flood impacting up to 96% of all ASes on the Internet.
Our analysis shows that ASes would receive a median of 5,200 to 32,000 route advertisements per second (compared to the typical 2.3 per second). We set up a small topology of routers and found that a single vortex could delay route propagation from almost instantaneous to up to 40 seconds, resulting in communication outages lasting approximately 37 seconds.
Mitigations
We propose a partial mitigation that limits the impact of a BGP Vortex, and two mitigations that address its root causes:
- ASes can leverage existing BGP stability mechanisms, such as MinRouteAdvertisementInterval and Route-Flap Damping. However, these only slow down route oscillation rather than fix the underlying flaw, and they introduce their own tradeoffs: delayed convergence and false positives that can block legitimate route advertisements.
- Operators can prevent insecure BGP policies, which are the root cause of BGP Vortex attacks. In our paper, we propose a validation approach to verify whether BGP policies comply with the Gao-Rexford routing rules.
- The networking community can reconsider inter-domain routing itself, addressing BGP’s fundamental security and stability weaknesses. SCION, a next-generation Internet architecture, offers a compelling alternative.
Read our USENIX Security 2025 paper to learn more.
Felix Stöger is a PhD student and researcher in the Network Security Group at ETH Zürich, supervised by Prof. Dr. Adrian Perrig.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of the Internet Society.
Image by Gordon Johnson from Pixabay