Skip to content
PortsDB

Port reference

Port 179 (TCP) – BGP

Border Gateway Protocol — the exterior routing protocol that exchanges reachability between autonomous systems.

tcpWell-knownCommonly attacked

Default state

Open between configured BGP peers (routers, route servers, IXP fabric). Should never be reachable from arbitrary internet hosts.

Common attacks

  • Prefix / route hijacking (announcing routes you don't own)
  • TCP RST session reset and session hijacking
  • Spoofed or malformed UPDATE messages to flap or poison routes
  • DoS against the BGP listener to drop peering sessions

Hardening

  • Authenticate sessions with TCP-MD5 or TCP-AO between peers
  • Enforce GTSM (TTL security / max-hop check) on the listener
  • Filter prefixes with IRR-based prefix-lists and max-prefix limits
  • Deploy RPKI Route Origin Validation to reject bogus origins
  • ACL the port so only known peer IPs can reach TCP/179

nmap snippet

nmap -p179 --script bgp-routing <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 179?

Port 179 is the registered TCP port for BGP (Border Gateway Protocol), the protocol that glues the internet together by exchanging routing reachability between autonomous systems (AS). Peers open a TCP/179 session, swap their known prefixes, and continuously send incremental UPDATE messages as routes change. It runs between ISP edge routers, enterprise multihomed routers, route servers, and internet exchange fabrics.

Why it matters for security

BGP has essentially no built-in authentication of what a peer is allowed to announce, so it operates on trust. A bad or hijacked announcement can redirect, blackhole, or intercept traffic for entire networks. Because the session rides on plain TCP, it is also vulnerable to session resets and spoofing if the listener is reachable or peers aren't authenticated.

How it's attacked

The headline threat is prefix hijacking — an AS announcing routes it does not own to pull in or intercept traffic. At the session layer, attackers attempt TCP RST injection to tear down peering, session hijacking, or floods of malformed UPDATE messages to flap and poison routes. An exposed listener can also simply be DoSed to break peering.

Hardening checklist

Authenticate every session with TCP-MD5 or TCP-AO and enforce GTSM/TTL security so off-path spoofers can't reach the session. Apply strict prefix-lists from IRR data and max-prefix limits, and deploy RPKI Route Origin Validation to drop bogus origins. ACL TCP/179 to known peer IPs only. The nmap script above probes BGP on devices you are authorized to test.

Related ports

Port 22Port 520Port 646Port 3784

Frequently asked questions

Should port 179 be exposed to the internet?
No. BGP should only accept connections from explicitly configured peer addresses. Restrict TCP/179 with ACLs and authenticate sessions; an open listener invites spoofed peering and DoS.
What stops BGP route hijacking?
RPKI Route Origin Validation, strict IRR-based prefix filtering, and max-prefix limits reject announcements from networks that aren't authorized to originate a prefix.