Skip to main content
Practical Modbus Flooding Attack and Detection
Information Security Conference (2014)
  • Sajal Bhatia, Queensland University of Technology
  • Nishchal Kush, Queensland University of Technology
  • Chris Djamaludin, Queensland University of Technology
  • James Akande, Queensland University of Technology
  • Ernest Foo, Queensland University of Technology
The Modicon Communication Bus (Modbus) protocol is one of the most commonly used protocols in industrial control systems. Modbus was not designed to provide security. This paper confirms that the Modbus protocol is vulnerable to flooding attacks. These attacks involve injection of commands that result in disrupting the normal operation of the control system. This paper describes a set of experiments that shows that an anomaly-based change detection algorithm and signature-based Snort threshold module are capable of detecting Modbus flooding attacks. In comparing these intrusion detection techniques, we find that the signature-based detection requires a carefully selected threshold value, and that the anomaly-based change detection algorithm may have a short delay before detecting the attacks depending on the parameters used. In addition, we also generate a network traffic dataset of flooding attacks on the Modbus control system protocol. 
  • Modbus,
  • Denial-of-Service (DoS),
  • Change Detection,
  • Intrusion Detection
Publication Date
January 20, 2014
Citation Information
Sajal Bhatia, Nishchal Kush, Chris Djamaludin, James Akande, et al.. "Practical Modbus Flooding Attack and Detection" Information Security Conference (2014)
Available at: