NTP Packets triggering "unknown device event type"

Unanswered Question
Apr 9th, 2012
User Badges:

Lately I have begun to recieve a number of "Unknow Device Event Type" alerts from our MARS Server accross a number of different IPS all located in different networks. Not sure why these appear to be triggered with a Risk Rating between or 77 or why MARS can't figure out what they are!!!

Both Source and Destination Ports are UDP 123 and the actuall event in the IPS is "NTP MODE_PRIVATE Denial of Service". id1090

Any ideas.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yevgeniy.fedko Tue, 04/10/2012 - 22:35
User Badges:

Expiriencing same issue, and suspect it is a false positive, since traffic is between Cisco legitimate device and NTP server; Attack does not look like a DoS due to very less volume of traffic

Category: Denial of Service

Title: NTP mode 7 MODE_PRIVATE Packet Remote Denial of Service Vulnerability

Summary: Determine if NTP is prone to a remote denial-of-service vulnerability


NTP is prone to a remote denial-of-service vulnerability because it fails to properly handle certain incoming network packets.

An attacker can exploit this issue to cause the application to consume excessive CPU resources and fill disk space with log messages.


Updates are available for NTP server OS.


This Discussion