Practical Modbus flooding attack and detection

Bhatia, Sajal, Kush, Nishchal, Djamaludin, Chris, Akande, Ayodeji, & Foo, Ernest (2014) Practical Modbus flooding attack and detection. In Parampalli, Udaya & Welch, Ian (Eds.) Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014) [Conferences in Research and Practice in Information Technology, Volume 149], Australian Computer Society, Inc., Auckland University of Technology, Auckland, pp. 57-65.

View at publisher


The Modicon Communication Bus (Modbus) protocol is one of the most commonly used protocols in industrial control systems. Modbus was not designed to provide security. This paper confirms that the Modbus protocol is vulnerable to flooding attacks. These attacks involve injection of commands that result in disrupting the normal operation of the control system. This paper describes a set of experiments that shows that an anomaly-based change detection algorithm and signature-based Snort threshold module are capable of detecting Modbus flooding attacks. In comparing these intrusion detection techniques, we find that the signature-based detection requires a carefully selected threshold value, and that the anomaly-based change detection algorithm may have a short delay before detecting the attacks depending on the parameters used. In addition, we also generate a network traffic dataset of flooding attacks on the Modbus control system protocol.

Impact and interest:

0 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

275 since deposited on 16 Jan 2014
34 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 66228
Item Type: Conference Paper
Refereed: Yes
Additional URLs:
Keywords: Modbus, Denial-of-Service (DoS), Change Detection, Intrusion Detection
ISBN: 978-1-921770-32-6
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > OTHER INFORMATION AND COMPUTING SCIENCES (089900) > Information and Computing Sciences not elsewhere classified (089999)
Divisions: Current > Schools > School of Electrical Engineering & Computer Science
Current > Institutes > Institute for Future Environments
Current > QUT Faculties and Divisions > Science & Engineering Faculty
Copyright Owner: Copyright 2014 Australian Computer Society, Inc.
Copyright Statement: This paper appeared at the Australasian Information Security Conference(ACSW-AISC 2014), Auckland, New Zealand, January 2014. Conferences in Research and Practice in Information Technology (CRPIT), Vol. 149, Udaya Parampalli and Ian Welch, Ed. Reproduction for academic, not-for-profit purposes permitted provided this text is included.
Deposited On: 16 Jan 2014 22:12
Last Modified: 03 Apr 2014 12:17

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page