Technologies are generally described for mitigation of a convergence attack in a network portion that includes multiple nodes interconnected by links in a closed configuration. In some examples, the attack may be detected by a detection module of an attack mitigation system in response to a determination that received average time to live (TTL) values of data packets are substantially decreased over the multiple nodes of the network portion. An identification module of the system may identify one or more potential attack links causing the attack, and generate a list from the potential attack links. The identification module may iterate the list across the potential attack links to gather traffic statistics of the network portion, and determine one or more attack links based on the traffic statistics. User-specific data traffic throttling to the attack links may then be enforced by a throttling module of the system to mitigate the attack.