I was wondering if my controller would survive if it were placed on an external IP address and be made accessible from anywhere. Now there are a number of things I can do like disabling functions and TCP ports, but that might not be as interesting. So with only a change in password I connected a controller out there.
I have been amazed by the level of login attempts occurring on the Telnet command port. With a little research I have determined that by far the majority of these are the Marai botnet. I'll put a Wiki link below if you want to read more. The shocking thing to me was how quickly the controller was discovered. The IP address I used was not in use at all before. The logins began with 10 minutes!
Apparently this particular botnet was used back last October to perpetrate some serious denial of service attacks (DDoS). It propagates itself through Telnet connection and is targeting devices running Linux. Well this controller is not Linux. It is real busy out there. How many millions of devices need to be infected to then cover millions of IP address such that my single IP address gets hit in just 10 minutes. Unbelievable!
Okay so I found the source code for Marai on GitHub and was shocked that it just picks random IP addresses! Well it does filter out DoD IP addresses, the Post Office, and companies like HP (I don't know why) but it is still fishing in a veritable ocean of IP addresses.
The controller (which I have since named HoneyPot) sees from 15 to 20 new apparently infected hosts/devices every hour. Each attempts a full gambit of logins before moving on. It is just a terrible waste of good bandwidth and ultimately we all pay for that.
I know it is crazy to expose a controller like that but so far it is surviving. I feel confident that it could be employed for useful work. This one supports TLS secure communications and can be configured to require that. This test has helped me improve the unit's reliability under attack. For non-critical applications it would work.
Well, if you are interested, the infected machines/devices that are knocking at the door are located all over the world. The controller logs failed login attempts. I wrote an application to run on that unit to process the access log and to use an IP address location service to get GIS coordinates. I've mapped this on page served by the controller in its public web server area. You can see from how far away this little box sitting on the shelf is being called. Pretty amazing. Here is the URL for the page. You are welcome to check it out.
If you Telnet to that unit and fail a login you can add yourself to the map. The IP locations are approximate so the marker won't sit on your house (thankfully). But it gives a general feeling. It's pretty interesting so I though that I would share. The point though is that the traffic associated with this is truly unfortunate. Meanwhile if you have devices with an open Telnet port (Port 23 or Port 2323) you might want to make sure that the password is unique and strong.
This is very interesting and should be a reminder to us all that attempted hacking of industrial controllers is a dangerous game for the owners. We should pay particular attention to remotely accessed control systems that only need one intrusion to cause chaos.
Thank you for bringing your experiences to our attention.
I should point out that it is not just the Telnet port (23) that is seeing attacks. There have been connection attempts on other ports such as used for FTP and even the product's own protocol. All of it seems to be automated so far. I haven't seen anything that looks like an actual person is at the other end trying to hack in. If this controller managed some critical asset I would imagine that we would see that at some point. Still the relentless level of automated communications (bots) amounts to a kind of bandwidth pollution. You just don't realize it when you pick up that CAT5 cable and look at it.