About IEC 60870-5-104

IEC 104 is the European cousin of DNP3. It is more complex than Modbus, but a good bit simpler than DNP3. It consists of two layers:

The application layer defines a number of Type Ids which can be thought of as function codes. They define the format of the data that follows. Unlike in DNP3, 104 ASDUs can only contain one type of data.

Functions supported

The 104 fuzzer provides support for every TypeId defined in the standard. This doesn't guarantee that all possible bugs will be found, but it does mean there that a significant portion of the application layer is stressed by the fuzzer.

Health checks

The fuzzer queries the device under test (DUT) by sending a U-format frame with TESTFR ACT and expects to receive TESTFR CON in response.

Conformance and parameters

Some parameters in IEC 104 have configurable sizes that both sides must agree upon. Aegis uses the following values:

There are the defaults for almost all systems, and the only settings that work with Wireshark.

Handshaking

Parameters

Procedures (outstation)

Procedures (master)

Procedures (either master or outstation)

The following procedures send frames with malformed APCI. You will almost certainly need to run each test case in its own TCP session (i.e. tests-per-session == 1).

Test Plans

Your Aegis installation of contains recommended test plans for both outstations and masters.

In most cases, the only parameter you need to adjust will be the common address.

The recommended test plan repeats some of the procedures with different fill or random seeds. It is recommended that you follow the plan for maximum efficacy, but on slow implementations, this could take a long time. Some implementations can handle hundreds of test cases per second, while others only seem to handle a couple dozen. It may be worth figuring out why the implementation is slow to respond to health checks or requests. You might consider running additional random seeds besides zero if your have enough time.

The last test case in each plan generates random application layer data within appropriate encapsulation. It is arbitrarily set to 250,000 iterations. Run as many iterations as you can tolerate with the speed of your device.