When Peers Disappear: Protocol Denial of Service Attacks on BGP Routers

None, None

When Peers Disappear: Protocol Denial of Service Attacks on BGP Routers

Master Thesis (2025)

Author(s)

M.A. Mladenov (TU Delft - Electrical Engineering, Mathematics and Computer Science)

Contributor(s)

Georgios Smaragdakis – Mentor (TU Delft - Cyber Security)

Robert Beverly – Mentor (San Diego State University)

Taha Albakour – Mentor (Max Planck Institut für Informatik)

J.E.A.P. Decouchant – Graduation committee member (TU Delft - Data-Intensive Systems)

Alexios Voulimeneas – Graduation committee member (TU Delft - Cyber Security)

Faculty

Electrical Engineering, Mathematics and Computer Science

BGP TCP Denial-of-Service attacks SYN Flood

To reference this document use:

https://resolver.tudelft.nl/uuid:2009fb89-e664-4a8c-85b2-b65e4281071e

More Info

expand_more

Publication Year

2025

Language

English

Graduation Date

11-07-2025

Awarding Institution

Delft University of Technology

Programme

['Computer Science | Cyber Security']

Faculty

Electrical Engineering, Mathematics and Computer Science

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

The Border Gateway Protocol (BGP) is the Internet's de facto inter-domain routing protocol. Due to its critical role in backbone infrastructure, denial of service attacks on BGP routers have the potential to compromise global connectivity.

BGP is not a standalone protocol; it relies on other protocols such as the Transport Control Protocol (TCP). In this work, we research whether BGP's reliance on TCP could lead to vulnerabilities allowing non-peers to perform denial of service attacks. We develop a methodology allowing researchers, vendors, and operators to enumerate potential weaknesses or vulnerabilities in routers and propose three attack types. We apply this methodology to physical and virtual routers from three popular vendors and identify several potential vulnerabilities. We find that one vendor's BGP implementation is susceptible to two types of attacks: SYN Flood and Connection Exhaustion. They allow a remote non-peered attacker to stop legitimate peers from connecting to the BGP listener of the affected router, preventing the exchange of routes. We responsibly disclose the vulnerability to the affected vendor. Our results show that as few as 5 to 20 packets per second can be sufficient to perform denial of service. Finally, we propose several ways to mitigate the impact of the proposed attacks.

Files

When_Peers_Disappear_Protocol_... (pdf)

(pdf | 0 Mb)

License info not available

File under embargo until 27-08-2025