NTP Packets triggering "unknown device event type"

Unanswered Question
Apr 9th, 2012
User Badges:

Lately I have begun to recieve a number of "Unknow Device Event Type" alerts from our MARS Server accross a number of different IPS all located in different networks. Not sure why these appear to be triggered with a Risk Rating between or 77 or why MARS can't figure out what they are!!!


Both Source and Destination Ports are UDP 123 and the actuall event in the IPS is "NTP MODE_PRIVATE Denial of Service". id1090


Any ideas.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yevgeniy.fedko Tue, 04/10/2012 - 22:35
User Badges:

Expiriencing same issue, and suspect it is a false positive, since traffic is between Cisco legitimate device and NTP server; Attack does not look like a DoS due to very less volume of traffic


Category: Denial of Service


Title: NTP mode 7 MODE_PRIVATE Packet Remote Denial of Service Vulnerability


Summary: Determine if NTP is prone to a remote denial-of-service vulnerability


Overview:

NTP is prone to a remote denial-of-service vulnerability because it fails to properly handle certain incoming network packets.

An attacker can exploit this issue to cause the application to consume excessive CPU resources and fill disk space with log messages.


Solution:

Updates are available for NTP server OS.

Actions

This Discussion