virus logo Intrusion Prevention

DNP3.Points.List.Scan

description-logoDescription

This indicates a possible attempt by an attacker to determine what DNP3 data points are available in the reconnaissance phase of an attack.
The DNP3 is a protocol commonly used in SCADA and DCS networks for process control. Read and write requests are issued to a DNP3 outstation to address points representing objects. The DNP3 application layer provides Internal Indications (IIN) for initiating error recovery. This signature looks for specific IIN bits that could be a result of malicious activity. If a read or write request is made to an address that is not configured in the DNP3 outstation, the outstation will respond with an error in the IIN. It would be an unlikely error for an authorized HMI or server to issue a read or write request to an address that is not configured.

affected-products-logoAffected Products

DNP3 outstations, such as PLCs, RTUs and IEDs.

Impact logoImpact

System compromise: Attacker reconnaissance in preparation for an attack.

recomended-action-logoRecommended Actions

Deploy access control lists or firewalls to allow access only from authorized IP addresses.

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)
ID 15281
Created Jan 10, 2008
Updated Apr 23, 2014
Risk black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon
Default Action pass
Active
Affected OS Other
Affected App SCADA