BGP Security Research Question

Roland Dobbins rdobbins at
Tue Nov 4 11:02:47 UTC 2014

On 4 Nov 2014, at 10:57, Anthony Weems wrote:

> I'm a student in college learning about networking and, specifically, 
> BGP.
> Does anyone have any statistics on the use of S-BGP or soBGP in the 
> wild?

Take a look at rPKI.

> Additionally, do people scan BGP speakers in the same sense that
> researchers perform scans of the Internet (e.g. zmap)?

Everything on the Internet is scanned (or, at least attempts to scan 
everything on the Internet are made), constantly.

If network operators have configured their BGP speakers properly, with 
BCPs such as iACLs and GTSM, then they can't be touched by anything 
except configured peers.

TCP/179 scanning of BGP speakers which haven't implemented the BCPs 
isn't generally going to return much in the way of useful results beyond 
identifying the BGP speakers themselves, as the scanners aren't 
configured as peers (it may be possible to fingerprint some BGP speakers 
via scanning a la nmap or zmap or masscan, perhaps someone else can 
comment on this).  That being said, attackers will scan routers that 
they're interested in DDoSing or subverting; implementing the relevant 
BCPs is strongly recommended.

Networks which haven't implemented the BCPs sometimes find their BGP 
peering sessions disrupted via DDoS attacks against the routers 
themselves;   SYN-floods and the like against TCP/179 are sometimes used 
to disrupt BGP sessions in such scenarios, for example.  Aggressive 
scanning per the above against BGP speakers which haven't implemented 
the BCPs could result in inadvertent disruption of BGP sessions.

Roland Dobbins <rdobbins at>

More information about the NANOG mailing list