Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Heartbleed CRL Activity Spike Found

Published: 2014-04-16
Last Updated: 2014-04-18 01:51:02 UTC
by Alex Stanford (Version: 1)
7 comment(s)

Update: CloudFlare posted in their blog twice today claiming responsibility for the majority of this spike. Quoting: "If you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign's monthly bandwidth bill."

Update: We've also seen articles from ZDNet and WIRED today in response to the below insights, with further analysis therein.

It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug.

This evening I noticed a massive spike in the amount of revocations being reported by this CRL:

The spike is so large that we initially thought it was a mistake, but we have since confirmed that it's real! We're talking about over 50,000 unique revocations from a single CRL:

This is by an order of magnitude the largest spike in revocation activity seen in years, according to our current data.

I have set up a new page for everyone to monitor the activity as well as see how we are obtaining this data. The page can be found at

How will you use this page in your projects or general analysis? We'd love to hear some ideas.

If you know of other CRLs that we can add, please let us know in the comments! Additionally, if you would like to see an API call added so that you can automatically query us for this information, please let us know so that we are aware of the demand.

On a side note, we can see a clear upward trend in revocations over the past 3 or 4 years:

What do you attribute this consistent growth in revocations to? What do you think caused the previous spikes?

Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford | @alexstanford

7 comment(s)
ISC StormCast for Friday, April 18th 2014

Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5

Published: 2014-04-17
Last Updated: 2014-04-17 20:25:34 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew West, who pointed an excellent observation and it's the very slow adoption of DNP3 Secure Authentication Version 5, which is the latest security enhancement for the DNP3 protocol. I want to talk today about this standard and the advantages of adopting it into your DNP3 SCADA system.

This standard has two specific objectives:

  • Help DNP3 outstation to determine beyond any reasonable doubt that it's communicating with an authorized user.
  • Help DNP3 master to determine beyound any reasonable doubt that it's communicating to the correct outstation.

This standard minimize the following risks:

  • Spoofing to outstation or master: Since the original specification includes only the DNP3 outstation address as the only way for identification, the new standard uses crypto keys to enforce the authentication to each end.
  • Modification: The standard includes the concept of Message Authentication Code (MAC) as shown in ISO/IEC 9798-4. This standard allows to determine if a message has been modified before arriving to the destination, ensuring integrity.
  • Replay attack: Valid traffic cannot be retransmitted anymore by any third party as authentication information would not be the same.
  • Eavesdropping: Crypto keys are securely exchanged. Data being transmitted goes still in clear-text, so confidentiality is not ensured. You need additional gear like crypto-boxes on each end of the communication link.

The following diagram shows the implementation architecture for this standard:

DNP Application Layer
DNP Secure Authentication
DNP Transport Function
DNP Data Link Layer
Serial Internet Protocol Suite


As seen, an additional level before application layer is added, providing the new security features.Unfortunately, there are two specific reasons that is preventing this standard for being widely deployed in the world:

  • ICS systems are still being planned to last from 10 to 20 years: Technology has arrived to that world and most ICS people have not noticed that yet. They still think that air gap is enough to protect the ICS systems and won't consider new investements to implement new security features. United States is one of the leaders in regulation for critical infrastructure. However, this does not happen in most countries and unless governments produce new laws for enforcing cybersecurity on critical infrastructure, adoption of such standards will keep slow.
  • DNP3 equipment manufacturers do not offer the same references and features in all countries of the world, and most of them even claim that this standard is not yet supported (for example, in south america).

Cybersecurity is not still mature in the ICS industry and has a long way to go. Information Security Professionals working with the ICS world has a really big challenge: We need to demonstrate that Information Security Controls like this standard will have a return of investment to the company and the risk of not having them, if operating a critical infrastructure to a Country, could be catastrophic and impacts incalculable. This standard works, won't put at risk any ICS facility and we all have a responsability of ensuring its implementation to our companies.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

Keywords: DNP3 SCADA
1 comment(s)
ISC StormCast for Thursday, April 17th 2014

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5
published 11 hours ago by Manuel Humberto Santander Pelaacuteez (1 comment)

Heartbleed CRL Activity Spike Found
published 1 day ago by Alex Stanford (7 comments)

WinXP and/or Win2003 hanged systems because of SC Forefront Endpoint Protection faulty update
published 1 day ago by Manuel Humberto Santander Pelaacuteez (1 comment)

Oracle Critical Patch Update for April 2014
published 1 day ago by Dr. J (0 comments)

Looking for malicious traffic in electrical SCADA networks - part 1
published 2 days ago by Manuel Humberto Santander Pelaacuteez (0 comments)

INFOCon Green: Heartbleed - on the mend
published 3 days ago by Kevin Shortt (8 comments)

Reverse Heartbleed Testing
published 4 days ago by Kevin Shortt (3 comments)

Interested in a Heartbleed Challenge?
published 5 days ago by Guy (0 comments)

Heartbleed Fix Available for Download for Cisco Products
published 6 days ago by Guy (0 comments)

The Other Side of Heartbleed - Client Vulnerabilities
published 1 week ago by Rob VandenBrink (3 comments)

How to talk to your kids (or manager) about "Heartbleed"
published 1 week ago by Dr. J (6 comments)

View All Diaries →

Latest Discussions

Script kiddie scan
created 6 days ago by Anonymous (0 replies)

Russia and DoS
created 1 month ago by Peter P (0 replies)

Suspiciously quiet on DNS scan activity
created 1 month ago by Thomas (1 reply)

Outbound 6000/TCP traffic to multiple Chinese IPs?
created 1 month ago by SniffingShadow (4 replies)

principle for designing a pen test testing workbencg
created 2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →