Hi Team, Some know me, some don’t. I’m asking as someone who has been around BGP security/resiliency for a while. We have a risk in the industry that we can all prevent - by deploying the BGP session security tools whenever we configure BGP sessions. Our Problem: We have ~274,000 BGP sessions open to anyone in the world who wishes to initiate a low-level DDoS attack to disrupt the BGP session. New Zealand currently has ~470 open BGP sessions. The Risk: A BGP Session knockdown risk model exists that can target an organization, an ISP, a whole country, or the entire Internet. Is this a serious risk? About a year ago, I conducted a Shadowserver Ops review with one of the major US broadband companies. I shared with my peers working there that they had ~60 BGP IPv6 sessions open to the risk (no iACLs, no ACL on the device, no control plane protection, no GTSM, etc). They have been part of tabletop exercises where “BGP Flap Storm” was used as one of the plays. Once informed, they resolved the issue within 40 minutes through an emergency ACL deployment. The ask: Deploy the basics of BGP Session Security on all your existing BGP Sessions. Talk to your peers on the other side of the BGP session to fix their BGP Session security (remember, BGP session re-establishment could happen from either side). Update your processes, procedures, and SCRIPTs to include BGP Session security (one of my theories is that people are using scripts to deploy that are not complete). If you need a complete breakdown of which routers on your network have their BGP session open, take the simple route and sign up for the Daily Shadowserver reports on your network. They are free for you. I’ve locked down many ISPs’ security risks just by using the Shadowserver reports. Just go to this link to subscribe: https://www.shadowserver.org/what-we-do/network-reporting/get-reports/ Sincerely, Barry Greene Old Security Geek WhatsApp/Signal +1 408 218 4669. PS - I’m asking this just in New Zealand right now because I live here (now) and wondering if we could knock out this risk …. Or is the potential of a BGP Flap Storm knocking out Telecom something we have to just live with? Resources to Review Shadowserver Dashboard Global https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=population&source=population6&tag=bgp&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on Shodan Global BGP Dashboard https://www.shodan.io/search/report?query=product%3Abgp+port%3A%22179%22&title=BGP%20Usage%20Report Advisory to FIRST Community - BGP Port 179 DDoS Risk Or How to cause unprecedented global chaos this week. https://docs.google.com/document/d/1oDD5-qlu0rlHUtjNZHKrfdug99ynSXHc2v dHPktTFH4/edit?usp=sharing Protecting BGP Sessions - Step-by-Step Guide to Prevent an Easy DDoS https://docs.google.com/document/d/13GoLbWmeypFerOJCh5Dp4-KcMu4BArXJP33PfYJc... Shadowserver Report: HIGH: Open BGP Service Report https://www.shadowserver.org/what-we-do/network-reporting/open-bgp-service-r... Shadowserver Report: MEDIUM: Accessible BGP Service Report https://www.shadowserver.org/what-we-do/network-reporting/accessible-bgp-ser...