Port Scanning Precursor to Attempted SCADA Attacks?
Via The SANS Internet Storm Center's Daily Handler's Dairy.
We've been noticing a fair amount of activity on port 20000/TCP over the last month or so.
A number of people wrote in with information about recent alerts for activity targeting the DNP protocol or systems running DNP services. DNP is used in SCADA systems in the electric and water utilities industry for process control.
DNP scanning activity was first reported in Oct 2006 with alerts in late Nov 2006. Significant scanning has been observed in late Dec. 2006 and is ongoing. A reader also contributed details of a system infection recently where port 1901/TCP and 20000/TCP were both used. Some reports have suggested a relationship between these DNP scans and scanning activity for port 10000/TCP (NDMP, Webmin).
Without more information on the scanning sources or full packet captures it is difficult to pinpoint/pigeonhole the current activity.