HIGH: Open BGP Service Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SECURITY LEVEL: HIGH

Introduction

This report identifies open Border Gateway Protocol (BGP) servers on port 179/TCP.  As explained in wikipedia, BGP is a  standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet.  The current BGP protocol specification can be found in RFC 4271.

Please refer to RFC7454 BGP Operations and Security for best practice guidance. Specifically:

4.  Protection of the BGP Speaker

   The BGP speaker needs to be protected from attempts to subvert the
   BGP session.  This protection SHOULD be achieved by an Access Control
   List (ACL) that would discard all packets directed to TCP port 179 on
   the local device and sourced from an address not known or permitted
   to become a BGP neighbor.  Experience has shown that the natural
   protection TCP should offer is not always sufficient, as it is
   sometimes run in control-plane software.  In the absence of ACLs, it
   is possible to attack a BGP speaker by simply sending a high volume
   of connection requests to it.

How we scan

We scan by sending a BGP OPEN Message (a request to start a negotiation for a BGP session). We tag a service as open when we receive a response that matches the filter:  message_type == “OPEN” and (message2_type == ” or message2_type == “KEEPALIVE”).

We do not perform any intrusive checks on a discovered service.

Dashboard

You can track accessible BGP servers on our Dashboard here.

As of July 1st, we see 115 routers that we consider “open”.

Mitigation

BGP services should not be accessible publicly, or accept BGP OPEN requests from everyone.  In the latter case, it may be possible to manipulate BGP routing tables. Access should be limited only to devices that are the expected BGP neighbors. Set up an ACL to discard all packets directed to TCP port 179 on the local device and sourced from an address not known or permitted to become a BGP neighbor.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 version.

Filename: scan_bgp, scan6_bgp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always TCP)
  • port
    Port that the response came from (typically 1801/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to msmq
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector of the device in question
  • message_length
    Total length of the message, including the header (in bytes)
  • message_type
    BGP message type
  • message_type_in
    BGP message type (in decimal)
  • bgp_version
    Protocol version number of the BGP response
  • sender_asn
    The Autonomous System number of the message sender
  • hold_time
    Number of seconds that the sender proposes for the hold time
  • bgp_identifier
    Identifier of the message sender (IPv4 or IPv6)
  • message2_type
    Second BGP message type in response (if included)
  • message2_type_int
    Second BGP message type in response (in decimal)
  • major_error_code
    The "Major" error code (refers to the broad category)
  • major_error_code_int
    The "Major" error code (in decimal)
  • minor_error_code
    The "Minor" error code (refers to the more specific reason for the major error)
  • minor_error_code_int
    The "Minor" error code (in decimal)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","message_length","message_type","message_type_int","bgp_version","sender_asn","hold_time","bgp_identifier","message2_type","message2_type_int","major_error_code","major_error_code_int","minor_error_code","minor_error_code_int"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,179,node01.example.com,bgp,64512,ZZ,Region,City,0,ptr,,49,OPEN,1,4,23456,,192.168.0.1,KEEPALIVE,4,,0,,0
"2010-02-10 00:00:01",high,192.168.0.2,tcp,179,node02.example.com,bgp,64512,ZZ,Region,City,0,,,45,OPEN,1,4,65100,,192.168.0.2,KEEPALIVE,4,,0,,0
"2010-02-10 00:00:02",high,192.168.0.3,tcp,179,node03.example.com,bgp,64512,ZZ,Region,City,0,,,45,OPEN,1,4,1,,192.168.0.3,,,,,,

Our 132 Report Types

« Back to Network Reporting