Proposal: NSE script to detect exposed and unauthenticated BGP endpoints #3244
Description
Describe the current behavior
Currently, Nmap can identify open TCP/179 ports, but it does not provide specific detection for exposed and unauthenticated BGP endpoints, nor does it validate whether a BGP service is improperly exposed to the public Internet or accessible without proper authentication or filtering. This limits early detection of critical BGP misconfigurations that may lead to route leaks, hijacks, or unauthorized session attempts.
Expected behavior
I propose an NSE script capable of:
- Detecting active BGP endpoints on TCP/179.
- Verifying whether the BGP service responds without authentication or access control.
- Identifying publicly exposed or improperly filtered BGP interfaces.
- Optionally extracting basic BGP OPEN metadata (ASN, capabilities) in a safe, non-invasive way.
- Flagging potential misconfigurations that may represent route hijack or exposure risks.
This script would help network operators, ISPs, and security teams audit BGP exposure in a fast, automated, and low-impact manner.
Use case
This is especially relevant for:
- ISP edge security validation.
- Internet-exposed routers.
- Research and academic environments.
- Early detection of misconfigured BGP services before exploitation.
Relationship to current research
This proposal is aligned with current research efforts related to BGP exposure, routing security, and Internet control-plane protection, and could complement ongoing IETF initiatives in inter-domain routing resilience.