An event buffer flooding attack in DNP3 controlled SCADA systems

Dong Jin, David M. Nicol, Guanhua Yan

Research output: Chapter in Book/Report/Conference proceedingConference contribution


The DNP3 protocol is widely used in SCADA systems (particularly electrical power) as a means of communicating observed sensor state information back to a control center. Typical architectures using DNP3 have a two level hierarchy, where a specialized data aggregator receives observed state from devices within a local region, and the control center collects the aggregated state from the data aggregator. The DNP3 communications are asynchronous across the two levels; this leads to the possibility of completely filling a data aggregator's buffer of pending events, when a compromised relay sends overly many (false) events to the data aggregator. This paper investigates the attack by implementing the attack using real SCADA system hardware and software. A Discrete-Time Markov Chain (DTMC) model is developed for understanding conditions under which the attack is successful and effective. The model is validated by a Möbius simulation model and data collected on a real SCADA testbed.

Original languageEnglish (US)
Title of host publicationProceedings of the 2011 Winter Simulation Conference, WSC 2011
Number of pages13
StatePublished - 2011
Event2011 Winter Simulation Conference, WSC 2011 - Phoenix, AZ, United States
Duration: Dec 11 2011Dec 14 2011

Publication series

NameProceedings - Winter Simulation Conference
ISSN (Print)0891-7736


Other2011 Winter Simulation Conference, WSC 2011
Country/TerritoryUnited States
CityPhoenix, AZ

ASJC Scopus subject areas

  • Software
  • Modeling and Simulation
  • Computer Science Applications


Dive into the research topics of 'An event buffer flooding attack in DNP3 controlled SCADA systems'. Together they form a unique fingerprint.

Cite this