There's something odd on the Net these days...

Mar 17, 2016

The handlers over at the Internet Storm Centre have been noticing a disturbing trend lately, namely, seeing the DNP protocol appearing on the open Net. You probably don't care about this because you've never heard of it before, but the protocol called DNP is used by process automation systems (SCADA) that control things like power generators and substations, pipelines, and other systems that have points of control scattered far and wide, systems in which a problem in one place can cascade into major problems everywhere downstream of the first problem. Now, maybe it's just me, but I find it worrisome that comm protocols for systems that most people would consider very important and generally a Bad Idea(tm) to put on the open Net where anyone could find and mess with them are showing up on the public, unclassified, unprotected Internet. Now, granted, there are a couple of open source SCADA systems out there, but they aren't very common at all. It's entirely possible that someone is either using the DNP protocol for something non-traditional, or that it just appears to be the DNP protocol but really isn't. Or, someone could be using one of those open-source implementations as part of a simple experiment over the Net and this is nothing to worry about.

I've looked at the packet captures in the ISC diary entry and done a bit of searching, and it appears that the attempts on port 20000/TCP were trying to get hold of the file /etc/psa/psa.conf, which seems to be a config file for a software package called Plesk, which is control panel software for webhosting companies to control the nodes in their server farms. This is the sort of distributed application that a protocol like DNP would be useful for: Controlling lots of nodes that are geographically distributed or so numerous that they would be cumbersome at best to manage. It's possible that this just appears to be DNP, though, and that Someone Out There has found a 0-day bug in Plesk and is actively scanning for instances to exploit.