BGP Security Research Question
rdobbins at arbor.net
Tue Nov 4 11:02:47 UTC 2014
On 4 Nov 2014, at 10:57, Anthony Weems wrote:
> I'm a student in college learning about networking and, specifically,
> Does anyone have any statistics on the use of S-BGP or soBGP in the
Take a look at rPKI.
> Additionally, do people scan BGP speakers in the same sense that
> researchers perform scans of the Internet (e.g. zmap)?
Everything on the Internet is scanned (or, at least attempts to scan
everything on the Internet are made), constantly.
If network operators have configured their BGP speakers properly, with
BCPs such as iACLs and GTSM, then they can't be touched by anything
except configured peers.
TCP/179 scanning of BGP speakers which haven't implemented the BCPs
isn't generally going to return much in the way of useful results beyond
identifying the BGP speakers themselves, as the scanners aren't
configured as peers (it may be possible to fingerprint some BGP speakers
via scanning a la nmap or zmap or masscan, perhaps someone else can
comment on this). That being said, attackers will scan routers that
they're interested in DDoSing or subverting; implementing the relevant
BCPs is strongly recommended.
Networks which haven't implemented the BCPs sometimes find their BGP
peering sessions disrupted via DDoS attacks against the routers
themselves; SYN-floods and the like against TCP/179 are sometimes used
to disrupt BGP sessions in such scenarios, for example. Aggressive
scanning per the above against BGP speakers which haven't implemented
the BCPs could result in inadvertent disruption of BGP sessions.
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG