Notes
Notes
| Alternative Ports |
|---|
| 179 TCP (default) |
Service Description
The Border Gateway Protocol (BGP) runs on TCP port 179 and is used to exchange routing information between autonomous systems (ASes) on the internet. It’s a core part of the internet’s routing infrastructure. BGP can also be used internally (iBGP) within large enterprise networks. Misconfigured or exposed BGP can lead to serious routing manipulation and hijacking attacks.
Important
BGP is rarely exposed directly to external scanners. Enumeration is most useful in internal network scenarios or on misconfigured edge routers.
Warning
BGP is very sensitive and you can mess up whole networks if doing more than just passive recon. Very unlikely to get any active exploitation POCs on an engagement.
Attacks
BGP Session Hijacking
If an attacker can spoof TCP sessions and predict sequence numbers, they can inject routes into an established BGP session.
BGP Route Hijacking / Leaking
Misconfigured routers can leak internal prefixes or accept bogus prefixes, allowing for traffic redirection or blackholing.
Unauthenticated Session Establishment (MD5 missing)
If BGP authentication isn’t enforced, it may be possible to initiate a session as a rogue peer.
Tools & Exploits
Enumeration
nmap
Basic confirmation of BGP port exposure.
nmap -sT -p 179 <target-ip>zmap / masscan
Useful for scanning large IP ranges for exposed BGP services.
masscan <target-cidr> -p179 --rate=1000bgpreader / BGPStream (RouteViews, RIPE RIS)
Passive tools to investigate AS paths, prefix advertisements, and leaked routes.
ExaBGP / GoBGP
Useful for building custom BGP-speaking tools (requires BGP peering access).
Exploitation or Post-Enum
TCP Session Spoofing (Theoretical)
Attempting to inject packets mid-session to hijack established BGP communication (rare and difficult, especially with modern TCP stack protections).
BGP Hijack via Route Injection
Can be tested in lab environments using ExaBGP or FRRouting to simulate route leaks.
Wireshark Analysis Tips
Filters
tcp.port == 179
bgpWhat to look for:
- OPEN messages → session establishment attempts
- KEEPALIVE → indicates an active BGP session
- UPDATE messages → route advertisements or withdrawals
- No TCP Option 19 (MD5 Signature) → indicates no BGP authentication in use
- Right-click TCP header > Expand TCP Options > Look for absence of Option 19
- Check 169.254.x.x BGP peer traffic → often internal APIPA links; worth noting if unauthenticated
Visibility Considerations:
- You can only see APIPA (169.254.x.x) traffic if you’re on the same L2 segment as the router interface.
- Useful capture locations:
- Mirror/Span Port on the switch connected to the BGP-facing interface
- Router-side tcpdump (if accessible):
tcpdump -i <iface> tcp port 179
- APIPA is link-local and non-routable, so you won’t see it elsewhere.
- Check for ARP entries as an indicator of presence:
arp -a | grep 169.254