Clicky

I have noticed that I'm getting signature alerts with a signature Id 6061 (DNS InfoLeak-UDP) on my IPS module. It looks like the attacker shows as one of my domain controllers with a target of an IP address of 192.168.1.4 over port 123. I know that port 123 is NTP and that 192.168.1.4 is a non-routable address. Our network doesn't have any 192.168.1.x addresses configured. I don't see any traffic on my firewall or domain controller logs that initiate this.

What is this signature and is there something I should be doing about it? Am I missing something with how NTP on Windows works that it would be looking for NTP on 192.168.1.4?


Thanks.

asked 11/23/2011 01:23

snowmizer's gravatar image

snowmizer ♦♦


1 Answers:
see you also posted on https://supportforums.cisco.com/thread/2109935

if the attack is coming from the internet (WAN) there is nothing you can do about it. the IDS did its job and stopped it. your domain controller how is its w32tim setup?  what does it use as a source?
link

answered

ve3ofa's gravatar image

ve3ofa

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 11/23/2011 01:23

Seen: 259 times

Last updated: 12/08/2011 03:20