I hope this is the right place to ask this, but I've been browsing Shodan in the hope of gaining some insight as to how many services my organisation has that are externally accessible so I can work with our networking teams to get these closed or work with the academics responsible for services to ensure the boxes are updated and configured correctly or pull the server off the net to be internal-only.
I am noticing a trend among some universities where they have port 179 for BGP open among many thousands of IP addresses in the same IP address scope. To my knowledge, BGP responds to a telnet connection, even if it's just to say that access was denied but Shodan shows no banner for these at all. If I try connecting using putty, the window opens then closes very quickly suggesting whatever is on the other end is terminating the session, possibly because I'm not on an access list.
I haven't done BGP yet in my studies so happy to learn, but this has me curious. I can say for certain that we don't have an AS number, our ISP owns the AS, and it's used for other institutions too, so in my basic knowledge of BGP we don't use it but our ISP does, so theoretically there isn't any reason for us to have such a large number of port 179s across thousands of IPs open to the internet and can therefore be safely closed without affecting any. I don't believe that we are acting as a peer for other organisations routes either.
So, ultimately, is there any reason for an organisation that isn't large enough to run BGP to have port 179 open across a large scope of IP addresses?
Working in IT Security I feel I should know this!
Best Answer
Port 179 is responsible for forming the peer between the ISP and the client. In fact, few providers realize firewall protection on port 179 to avoid peering problems with their clients. In good practice, the ISP should perform an ACL by allowing TCP connections on port 179 only on the IPS that it provides to its clients closing a BGP session and blocking the rest, but I believe that it should be a very poorly performed practice. So since you do not have an AS, I can not see how this "security breach" can impact your network.