I have noticed that I'm getting signature alerts with a signature Id 6061 (DNS InfoLeak-UDP) on my IPS module. It looks like the attacker shows as one of my domain controllers with a target of an IP address of over port 123. I know that port 123 is NTP and that is a non-routable address. Our network doesn't have any 192.168.1.x addresses configured. I don't see any traffic on my firewall or domain controller logs that initiate this.

What is this signature and is there something I should be doing about it? Am I missing something with how NTP on Windows works that it would be looking for NTP on


asked 11/23/2011 01:23

snowmizer's gravatar image

snowmizer ♦♦

1 Answers:
see you also posted on

if the attack is coming from the internet (WAN) there is nothing you can do about it. the IDS did its job and stopped it. your domain controller how is its w32tim setup?  what does it use as a source?


ve3ofa's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments


Asked: 11/23/2011 01:23

Seen: 259 times

Last updated: 12/08/2011 03:20