The Internet is a critical resource in the daily life of billions of
users. To support the growing number of users and their increasing
demands, operators continuously scale their network footprint—
e.g., by joining Internet Exchange Points (IXPs)—and adopt relevant
technologies—such as IPv6—which provides a vastly larger address
space than its predecessor.

In this paper, we revisit prefix de-aggregation attacks in the light
of these two changes and introduce Kirin—an advanced BGP prefix
de-aggregation attack that announces millions of IPv6 routes via
thousands of IXP connections to overflow the memory of routers
within remote ASes. Kirin’s highly distributed nature allows it
to bypass traditional route-flooding defense mechanisms, such as
per-session prefix limits or route flap damping.

We analyze Kirin’s theoretical feasibility by formulating it as a
mathematical optimization problem, test for practical hurdles by
deploying enough infrastructure to perform a micro-scale Kirin
attack using 4 IXPs, and validate our assumptions via BGP data
analysis, real-world measurements, and router testbed experiments.
Despite its low deployment cost, we find that Kirin may inject lethal
amounts of routes into the routers of thousands of ASes.