Port Scanning Precursor to Attempted SCADA Attacks?

["Fergie" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm sure most people watch the news over at the SANS ISC, but
just in case...

[snip]

We've been noticing a fair amount of activity on port 20000/TCP over the
last month or so.

http://isc.sans.org/port.html?port=20000

UPDATE:
A number of people wrote in with information about recent alerts for
activity targeting the DNP protocol or systems running DNP services. DNP is
used in SCADA systems in the electric and water utilities industry for
process control.

http://en.wikipedia.org/wiki/DNP3

DNP scanning activity was first reported in Oct 2006 with alerts in late
Nov 2006. Significant scanning has been observed in late Dec. 2006 and is
ongoing. A reader also contributed details of a system infection recently
where port 1901/TCP and 20000/TCP were both used. Some reports have
suggested a relationship between these DNP scans and scanning activity for
port 10000/TCP (NDMP, Webmin).

Without more information on the scanning sources or full packet captures it
is difficult to pinpoint/pigeonhole the current activity.

[snip]

More:
http://isc.sans.org/diary.html?storyid=2067

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.2 (Build 4075)

wj8DBQFFr+kgq1pz9mNUZTMRAiLGAKCP0NUWsBIihNqOKStNFTbUk32A3gCgvOxt
fCQApKVV6WktcTxQ1JnV4BY=
=n5qi
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.