Kirin: Hitting the Internet with Millions of Distributed IPv6 Announcements

TL;DR

This paper introduces Kirin, a sophisticated IPv6 prefix de-aggregation attack that leverages millions of distributed BGP announcements to overwhelm border routers, highlighting new security vulnerabilities in the expanding IPv6 Internet infrastructure.

Contribution

Kirin is a novel, highly distributed attack method that bypasses traditional defenses by sourcing and distributing millions of IPv6 routes across multiple IXPs, demonstrating a new threat to Internet routing security.

Findings

Kirin can inject millions of IPv6 routes into target ASes.

The attack bypasses traditional route-flooding defenses.

Feasibility confirmed through real-world experiments and data analysis.

Abstract

The Internet is a critical resource in the day-to-day life of billions of users. To support the growing number of users and their increasing demands, operators have to continuously scale their network footprint -- e.g., by joining Internet Exchange Points -- and adopt relevant technologies -- such as IPv6. IPv6, however, has a vastly larger address space compared to its predecessor, which allows for new kinds of attacks on the Internet routing infrastructure. In this paper, we revisit prefix de-aggregation attacks in the light of these two changes and introduce Kirin -- an advanced BGP prefix de-aggregation attack that sources millions of IPv6 routes and distributes them via thousands of sessions across various IXPs to overflow the memory of border routers within thousands of remote ASes. Kirin's highly distributed nature allows it to bypass traditional route-flooding defense mechanisms, such as per-session prefix limits or route flap damping. We analyze the theoretical feasibility of the attack by formulating it as a Integer Linear Programming problem, test for practical hurdles by deploying the infrastructure required to perform a small-scale Kirin attack using 4 IXPs, and validate our assumptions via BGP data analysis, real-world measurements, and router testbed experiments. Despite its low deployment cost, we find Kirin capable of injecting lethal amounts of IPv6 routes in the routers of thousands of ASes.