Thousands of open BGP ports at some organisations – Is there a reason for this?

        I hope this is the right place to ask this, but I've been browsing Shodan in the hope of gaining some insight as to how many services my organisation has that are externally accessible so I can work with our networking teams to get these closed or work with the academics responsible for services to ensure the boxes are updated and configured correctly or pull the server off the net to be internal-only. 
I am noticing a trend among some universities where they have port 179 for BGP open among many thousands of IP addresses in the same IP address scope. To my knowledge, BGP responds to a telnet connection, even if it's just to say that access was denied but Shodan shows no banner for these at all. If I try connecting using putty, the window opens then closes very quickly suggesting whatever is on the other end is terminating the session, possibly because I'm not on an access list. I haven't done BGP yet in my studies so happy to learn, but this has me curious. I can say for certain that we don't have an AS number, our ISP owns the AS, and it's used for other institutions too, so in my basic knowledge of BGP we don't use it but our ISP does, so theoretically there isn't any reason for us to have such a large number of port 179s across thousands of IPs open to the internet and can therefore be safely closed without affecting any. I don't believe that we are acting as a peer for other organisations routes either. So, ultimately, is there any reason for an organisation that isn't large enough to run BGP to have port 179 open across a large scope of IP addresses? Working in IT Security I feel I should know this!

Leave Your Comment

Leave a Reply