virus logo Intrusion Prevention

DNP3.Function.Code.Scan

description-logoDescription

This indicates a possible attempt by an attacker to determine what DNP3 function codes are available in the reconnaissance phase of an attack.
DNP3 is a protocol commonly used in SCADA and DCS networks for process control. A function code is included in each request that determines the type of request, such as read, write, or administrative. If the DNP3 outstation does not support the function code it will respond with an error function code and bit 0 of the second Internal Indications (IIN) byte will be set to 1. It would be an unusual error for an authorized HMI or server to issue a function code request that is not supported. Some vendors support vendor specific function codes so the result of a function code scan could allow an attacker to identify the field equipment's vendor and model.

affected-products-logoAffected Products

DNP3 outstations, such as PLCs, RTUs and IEDs.

Impact logoImpact

System compromise: Reconnaissance.

recomended-action-logoRecommended Actions

Deploy access control lists or firewalls to only allow access from authorized IP addresses.

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)
ID 15282
Created Jan 10, 2008
Updated Apr 23, 2014
Risk black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon
Default Action pass
Active
Affected OS Other
Affected App SCADA