Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NTP Packets triggering "unknown device event type"

Lately I have begun to recieve a number of "Unknow Device Event Type" alerts from our MARS Server accross a number of different IPS all located in different networks. Not sure why these appear to be triggered with a Risk Rating between or 77 or why MARS can't figure out what they are!!!

Both Source and Destination Ports are UDP 123 and the actuall event in the IPS is "NTP MODE_PRIVATE Denial of Service". id1090

Any ideas.

2 REPLIES
New Member

NTP Packets triggering "unknown device event type"

It appears to be a new signature from S639 released a few days ago. Although, the vulnerability itself is not new.

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1090&signatureSubId=0&softwareVersion=6.0&releaseVersion=S639

http://www.kb.cert.org/vuls/id/568372

New Member

NTP Packets triggering "unknown device event type"

Expiriencing same issue, and suspect it is a false positive, since traffic is between Cisco legitimate device and NTP server; Attack does not look like a DoS due to very less volume of traffic

Category: Denial of Service

Title: NTP mode 7 MODE_PRIVATE Packet Remote Denial of Service Vulnerability

Summary: Determine if NTP is prone to a remote denial-of-service vulnerability

Overview:

NTP is prone to a remote denial-of-service vulnerability because it fails to properly handle certain incoming network packets.

An attacker can exploit this issue to cause the application to consume excessive CPU resources and fill disk space with log messages.

Solution:

Updates are available for NTP server OS.

4018
Views
0
Helpful
2
Replies