I make fun of Modbus because it is a network protocol invented by people with limited background in programming let alone protocol design (like indexes start at 1?
-
I make fun of Modbus because it is a network protocol invented by people with limited background in programming let alone protocol design (like indexes start at 1? what?).
I've been writing my own DNP3 stack (native Python stack) and I've gotta say the exact opposite about DNP3. It was written by insane network protocol people who aren't worried at all about making something ridiculously complex. Especially if twenty extra parsing steps might allow someone to save a byte or two on-the-wire. I totally get how Adam and Chris found 18 bjillion parsing bugs in dnp3 systems a few years ago. I'm surprised they didn't find even more bugs.
-
I make fun of Modbus because it is a network protocol invented by people with limited background in programming let alone protocol design (like indexes start at 1? what?).
I've been writing my own DNP3 stack (native Python stack) and I've gotta say the exact opposite about DNP3. It was written by insane network protocol people who aren't worried at all about making something ridiculously complex. Especially if twenty extra parsing steps might allow someone to save a byte or two on-the-wire. I totally get how Adam and Chris found 18 bjillion parsing bugs in dnp3 systems a few years ago. I'm surprised they didn't find even more bugs.
@reverseics My favorite part about DNP3 is how inconsistent firewalls are if you are doing anything more than simple port blocking.
-
@reverseics My favorite part about DNP3 is how inconsistent firewalls are if you are doing anything more than simple port blocking.
@cR0w transport layer fragmentation in dnp3 introduces all sorts of fun firewall evasion. a firewall really needs to reassemble the complete request before determining whether the request is allowed, so I'm not surprised at all about firewall evasions :(.
-
@cR0w transport layer fragmentation in dnp3 introduces all sorts of fun firewall evasion. a firewall really needs to reassemble the complete request before determining whether the request is allowed, so I'm not surprised at all about firewall evasions :(.
@reverseics It's not even just evasions. Certain firewalls tend to change how they handle things like TCP streams and it's cause outages. For example: An org was allowing DNP3 by protocol through a fancy firewall because they didn't want someone to abuse port 20000 or whatever they were using. But the firewall changed its timeouts and application fingerprinting so the only part of the stream that flagged as DNP3 was the beginning. After a certain amount of time ( since we know DNP3 streams can be maintained for a long time ) it flagged the traffic as generic TCP and dropped it. It was a weird one to troubleshoot.
-
R relay@relay.infosec.exchange shared this topic
