Routing Update Flooding

Modern networks, even not very large ones, feature hundreds of routers, which requires the use of dynamic routing protocols. These protocols allow easy addition of new parts of the network and reduce the network provisioning time. Network designs cannot be scaled well without routing protocols and thus they become the brain of the network. Protecting this brain is vital part of corporate security.

All routing protocols send packet containing routing information or keepalives to their neighbors to prove that they are alive and it’s save to route through them, all this updates and keepalives are processed in CPU of routing engine, sending large amount of spoofed updates to CPU of routing engine can overwhelm whole system, the final result will be that the neighbors will declare him down. Other vector of such type of attack is to fill interface queues this again will delay very important updates and hellos and will cause same result on attacked infrastructure.

Untitled

Mitigations

To mitigate such type of attacks we can apply infrastructure ACL and allow only legitimate neighbors to send such type of packets to control plane of routers, other type of mitigations is special control plane policy which can limit amount of packets that is router can receive from particular source, some vendors have special queues for already established connections neighbors hips.