Rule: 1111201

SID 1111201 / 11112011
Message DNP3 – Disable Unsolicited Responses
Rule alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:”|15|”; offset:12; depth:1; msg:”SCADA_IDS: DNP3 – Disable Unsolicited Responses”; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:attempted-dos; sid:1111201; rev:2; priority:2;)
Preprocessor Rule alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:”SCADA_IDS: DNP3 – Disable Unsolicited Responses”; dnp3_cmd_fc:21; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:attempted-dos; sid:11112011; rev:1; priority:2;)
Summary An attacker stops unsolicited responses from field devices to prevent alarms and other critical events.
Impact System integrity. Denial of service.
Detailed Information DNP3 is a protocol commonly used in SCADA and DCS networks for process control.A DNP3 request packet with function code 15 Disable Unsolicited will cause a DNP3 server to stop sending unsolicited responses.
Affected Systems PLC’s and other field devices that contain DNP3 servers.
Attack Scenarios An attacker with IP connectivity sends a DNP3 request packet with function code 15 to one or more PLC’s to prevent these PLC’s from sending unsolicited responses.This cyber attack could be a precursor to a physical attack.
Ease of Attack Simple. DNP3 clients are available for free on the Internet.
False Positives Occassionally there is a need to disable unsolicited responses for troubleshooting or system modifications.
False Negatives None known
Corrective Action Enable unsolicited responses, identify who sent the unauthorized command, and take appropriate action to prevent subsequent attacks by this individual.
Contributors Dale Peterson