MEDIUM: Accessible BGP Service Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SEVERITY LEVEL: MEDIUM

Introduction

This report identifies accessible Border Gateway Protocol (BGP) servers on port 179/TCP.  As explained in wikipedia, BGP is a  standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet.  The current BGP protocol specification can be found in RFC 4271.

Please refer to RFC7454 BGP Operations and Security for best practice guidance.

Specifically:

4.  Protection of the BGP Speaker

   The BGP speaker needs to be protected from attempts to subvert the
   BGP session.  This protection SHOULD be achieved by an Access Control
   List (ACL) that would discard all packets directed to TCP port 179 on
   the local device and sourced from an address not known or permitted
   to become a BGP neighbor.  Experience has shown that the natural
   protection TCP should offer is not always sufficient, as it is
   sometimes run in control-plane software.  In the absence of ACLs, it
   is possible to attack a BGP speaker by simply sending a high volume
   of connection requests to it.

How we scan

We scan by sending a BGP OPEN Message (a request to start a negotiation for a BGP session). We tag a service as open when we receive any BGP response, including a Connection Reject response.

We do not perform any intrusive checks on a discovered service.

Dashboard

You can track accessible BGP servers on our Dashboard here.

As of July 1st 2023, we see around 394 000 accessible BGP servers.

Mitigation

BGP services should not be accessible publicly.  Communication should be limited only to devices that are the expected BGP neighbors. Even if an OPEN Message is rejected, an attacker can still for example attempt to DDoS the BGP service (which may be operated in the control-plane of the router, at significantly lower throughput than the data-plane).

This report lists all BGP services that respond in any way. For a subset list of services that respond positively to our OPEN Message (which may result in BGP injection attacks), see our Open BGP Service Report.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 version.

Filename: population_bgp, population6_bgp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always TCP)
  • port
    Port that the response came from (typically 1801/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to msmq
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the device in question
  • message_length
    Total length of the message, including the header (in bytes)
  • message_type
    BGP message type
  • message_type_in
    BGP message type (in decimal)
  • bgp_version
    Protocol version number of the BGP response
  • sender_asn
    The Autonomous System number of the message sender
  • hold_time
    Number of seconds that the sender proposes for the hold time
  • bgp_identifier
    Identifier of the message sender (IPv4 or IPv6)
  • message2_type
    Second BGP message type in response (if included)
  • message2_type_int
    Second BGP message type in response (in decimal)
  • major_error_code
    The "Major" error code (refers to the broad category)
  • major_error_code_int
    The "Major" error code (in decimal)
  • minor_error_code
    The "Minor" error code (refers to the more specific reason for the major error)
  • minor_error_code_int
    The "Minor" error code (in decimal)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","message_length","message_type","message_type_int","bgp_version","sender_asn","hold_time","bgp_identifier","message2_type","message2_type_int","major_error_code","major_error_code_int","minor_error_code","minor_error_code_int"
"2010-02-10 00:00:00",info,192.168.0.1,tcp,179,node01.example.com,bgp,64512,ZZ,Region,City,0,ptr,,29,OPEN,1,4,39912,,192.168.0.1,NOTIFICATION,3,Cease,6,"Connection Rejected",5
"2010-02-10 00:00:01",info,192.168.0.2,tcp,179,node02.example.com,bgp,64512,ZZ,Region,City,0,,,21,NOTIFICATION,3,,,,192.168.0.2,,,Cease,6,"Connection Rejected",5
"2010-02-10 00:00:02",info,192.168.0.3,tcp,179,node03.example.com,bgp,64512,ZZ,Region,City,0,ptr,,29,OPEN,1,4,65002,,192.168.0.3,NOTIFICATION,3,Cease,6,"Connection Rejected",5

Our 126 Report Types

« Back to Network Reporting