SCADA Scanning

University of Michigan | 7/3/2015

University of Michigan - SCADA Scanning -

I noticed a interesting trend in the log files of the honeypot networks I am handling.

A /24 network range belonging to University of Michigan, showed a interest for e.g ModBus (port 502/TCP) The scans was found across many of my different honeypots placed in Europe/US.

In reply to my abuse rapport, i did receive the following;

"These connections are part of an Internet-wide research study being conducted by computer scientists at the University of Michigan. The research involves making benign connection attempts to every public IP address. By measuring the entire public address space, we are able to analyze global patterns and trends in protocol deployment and security.


If our scans are causing problems, we would be happy to exclude your host or network from future research scans from the University of Michigan. Simply send us your IP address or CIDR prefix.


Alternatively, you can configure your firewall to drop traffic from the subnets we use for scanning:

141.212.121.0/24 and 141.212.122.0/24"

 

My suggestion: You might consider to block above network ranges, unless you  (and your SCADA equipment) want to participate in University of Michigan's SCADA Research.