What's in Your CIP Sender Context? Fingerprinting Internet Scanners via EtherNet/IP
This is part of an ongoing series documenting observations from otpot, an OT-focused honeypot project. If you missed the intro, start there. otpot had been running for less than 24 hours before the first EtherNet/IP probes arrived. Censys and Shodan index everything, and a convincing Allen-Bradley 1756-L61 ControlLogix identity response is apparently interesting enough to attract regular visits. What I didn’t expect was that buried inside each of those requests was something useful: a consistent, scanner-specific value that makes it possible to identify who’s knocking purely from the protocol payload — no IP intelligence required. ...