The Border Gateway Protocol (BGP) is the backbone of the Internet. It is responsible for directing traffic between different autonomous systems (AS), in other words, to any website. While BGP hijacking attacks are a known threat, a new type of attack known as BGP Vortex introduces a particularly insidious challenge to network stability. First presented at the USENIX Security Conference in August 2025, this attack exploits standard BGP extensions to trigger a denial-of-service DoS by flooding the network with update messages.
Unlike traditional hijacking attacks that redirect traffic, the BGP Vortex doesn’t manipulate routes to intercept data. Instead, it destabilizes them to generate a message storm (hence the name Vortex) that floods the routers’ control plane. What makes it particularly dangerous is that it uses completely legitimate, standard BGP messages, which allows it to bypass current defenses such as BGPSEC and RPKI.
About the BGP Vortex
The BGP Vortex is a phenomenon where three interconnected ASes get trapped in a state of persistent route oscillations. These oscillations not only overload routers of ASes in the Vortex but also cause a surge of route advertisements that are disseminated across the Internet and possibly overload routers of ASes that are not part of the Vortex.
Attack Mechanism
The BGP Vortex manipulates two commonly used BGP communities for traffic engineering:
Lower Local Preference Below Peer: When attached to a route advertisement, this community instructs a BGP peer to reduce the local preference of that route below the preference it would have if received from other peers.
Selective NOPEER: This community instructs an autonomous system not to advertise the routes it receives to certain peers.
The attack exploits a specific configuration involving three vulnerable autonomous systems (AS) that are peers and use these communities. By sending three specific UPDATE messages (BGP Update messages), the attacker induces these ASes to enter a vicious cycle of routing oscillations.
Triggering the oscillation: An attacker sends an UPDATE message to a vulnerable AS. This message, which contains the malicious communities, causes a cascade of route update and withdrawal messages between the three ASes.
Creating the loop: The routing configurations and policies of the three ASes react to the messages creating an infinite loop. The route is repeatedly announced and withdrawn by the three peers.
Creating the update storm: The oscillation amplifies as it propagates through the network’s “branches.” Each time the route changes within the loop, a new wave of BGP UPDATE messages is generated, propagating to thousands of networks in the customer cones of the affected ASes. This can generate thousands of updates per second.
Impact and Consequences
What makes this attack particularly serious is that it uses only legitimate BGP rules and packets — no malformed or malicious packets are involved. The technique simply manipulates BGP communities and BGP UPDATE messages.
(Free access, no subscription required)
The BGP Vortex can cause major Internet disruptions:
Router overload: The flood of BGP UPDATE messages saturates the routers’ control plane, which must process each update and withdrawal. This consumes a significant amount of CPU and memory resources, leading to widespread slowdowns.
Data layer failures: Control-plane overload can make routers’ forwarding tables inconsistent. This can cause intermittent forwarding loops, which in turn can congest links and cause packet losses, severely impacting connectivity.
Internet instability: The update storm’s domino effect can spread beyond the initially targeted networks. A single BGP Vortex could destabilize large sections of Internet infrastructure, affecting multiple users and services.
Attack Flow
This scenario shows how the combination of the Lower Local Pref and Selective NOPEER communities can cause persistent route oscillations between three autonomous systems (AS 1, AS 2, AS 3) connected in a triangular topology.
The attacker (AS 4, a multihomed customer) uses these communities to manipulate route selection and propagation.
The BGP Vortex can cause major Internet disruptions:
Router overload: The flood of BGP UPDATE messages saturates the routers’ control plane, which must process each update and withdrawal. This consumes a significant amount of CPU and memory resources, leading to widespread slowdowns.
Data layer failures: Control-plane overload can make routers’ forwarding tables inconsistent. This can cause intermittent forwarding loops, which in turn can congest links and cause packet losses, severely impacting connectivity.
Internet instability: The update storm’s domino effect can spread beyond the initially targeted networks. A single BGP Vortex could destabilize large sections of Internet infrastructure, affecting multiple users and services.
Attack Flow
This scenario shows how the combination of the Lower Local Pref and Selective NOPEER communities can cause persistent route oscillations between three autonomous systems (AS 1, AS 2, AS 3) connected in a triangular topology.
The attacker (AS 4, a multihomed customer) uses these communities to manipulate route selection and propagation.
Stage 1. Initial prefix injection by the customer (AS4)
AS4 (the multihomed customer) advertises prefix 2001:db8::/32 to its three providers (AS 1, AS 2, and AS 3).
It adds communities: 4:90 → instructs each provider to lower its internal LocalPref to 90 (lower local preference). 65500:x → Selective NOPEER, to restrict redistribution among peers: 65500:1 → AS 2 does not advertise AS 1. 65500:2 → AS 3 does not advertise AS 2. 65500:3 → AS 1 does not advertise AS 3.
With this, the attacker sets the stage for a circular flow of advertisements.
Stage 2. Selective route redistribution
Each ISP installs the customer’s route (LP = 90) and advertises it once again to its peers based on Selective NOPEER restrictions.
This creates a partial, asymmetric propagation: AS 1 → AS 2, but not → AS 3. AS 2 → AS 3, but not → AS 1. AS 3 → AS 1, but not → AS 2.
Stage 3. Reselection of routes and withdrawal of advertisements
The three ASes begin to compare internal and external routes:
AS 1 receives the prefix from AS 3, installs it with best local preference (100), and withdraws the one it learned from AS 4.
Under peer-to-peer policy, AS 1 does not re-advertise the new route to AS 2.
This change in the best route produces the first oscillation: AS 2 loses the route via AS 1 and must select another alternative (via AS 4).
Stage 4. Vortex formation (update loop)
AS 2 installs the route it receives from AS 4 and advertises it to AS 3.
Once it receives the route, AS 3 prefers this route, installs it, and withdraws the previous route to AS
AS 1 detects the loss of the advertisement from AS 3 and reinstalls the version from AS 4.
The cycle repeats.
This endless exchange of update/withdraw messages creates the BGP Vortex described above. The phenomenon propagates quickly through the topology, especially in densely connected environments, saturating the control plane’s buffers and processing tables.
Existing BGP security mechanisms are designed to validate the authenticity and authorization of route advertisements, not to detect oscillations caused by legitimate policies.
RPKI/ROV: Resource Public Key Infrastructure and Route Origin Validation do not protect against this attack, as the prefix advertised by the attacker is valid and the messages are not spoofed.
BGPSEC: This security protocol is also ineffective, as the messages are properly signed and authorized, even though their combination produces the harmful effect.
My BGP configuration is very simple; I don’t speak BGP communities. Can I be affected?
Yes, although not directly. The BGP Vortex can indirectly affect routers that do not use or are not enabled for BGP communities, or that do not specifically support the Lower Local Preference Below Peer and Selective NOPEER communities. The impact is due to the propagation of the flood of BGP update messages, not by the manipulation of the communities themselves.
Am I safe if my router only receives the default route from my upstream providers?
The answer is it depends:
Case 1: If your provider has an outgoing filter that only allows the default route, then you are safe.
Case 2: If you filter everything your provider sends you and keep only the default route, then you are not safe, because your router still receives the BGP update message flood.
The Role of IXPs in Internet Topology Changes and the BGP Vortex
In the past, Internet Exchange Points (IXPs) followed a fairly hierarchical topology: ISPs primarily connected to transit providers, and lateral peering relationships were relatively limited. However, with the rapid expansion of regional and global IXPs, this structure has “flattened.” Each ISP now connects to a much larger number of neighbors, increasing the density of peering triangles (i.e., groups of three directly interconnected ASes). This phenomenon also promotes multihoming: smaller ASes can be connected to three or more upstream providers or IXPs, becoming potential triggers of control plane instabilities, such as the BGP Vortex attack. In this sense, could the rise of IXPs be creating a breeding ground for this type of damage to spread more rapidly and extensively?
What Mitigation Strategies Are Available Today?
Because the BGP Vortex exploits a weakness in the use of standard extensions, solutions require careful consideration of the trade-offs between routing security and flexibility.
Disabling vulnerable communities: The most effective measure is for network operators to disable the Lower Local Pref Below Peer and Selective NOPEER communities. While this eliminates the vulnerability, it also reduces the flexibility of traffic engineering these tools provide.
Adjusting BGP timers: Modifying mechanisms such as the Minimum Route Advertisement Interval (MRAI) timer might slow the flow of updates. However, this would also delay network convergence under normal conditions, impacting overall performance.
Monitoring and detection: Implementing comprehensive monitoring of control-plane CPU usage and the BGP UPDATE message rate can help operators quickly detect and respond to an ongoing attack.
Adopting future architectures: Research on the BGP Vortex underscores the need for more secure and resilient routing architectures. In the long term, adopting technologies such as SCION, a next-generation Internet architecture, could provide immunity against these types of attacks.
Conclusion
The BGP Vortex serves as a reminder that Internet infrastructure security must be a continuous effort. By exploiting a combination of legitimate extensions, this attack shows that BGP reliability can be compromised in subtle and difficult-to-detect ways. Whether disabling problematic communities or pursuing more secure architectures, the Internet community’s response will be crucial to defend against this and future threats.
