The TPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242192	TIPP-IP-000270	SV-242192r840191_rule		Medium

Description
If the network does not provide safeguards against DoS attack, network resources will be unavailable to users. Installation of TPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the IDPS component vendor. These attacks include SYN-flood, ICMP-flood, and Land Attacks. This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

Description

If the network does not provide safeguards against DoS attack, network resources will be unavailable to users. Installation of TPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the IDPS component vendor. These attacks include SYN-flood, ICMP-flood, and Land Attacks. This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

STIG	Date
Trend Micro TippingPoint IDPS Security Technical Implementation Guide	2022-06-28

Details

Check Text ( C-45467r838220_chk )
1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile. 2. If there is not one configured, select "Default". 3. Click "Search". 4. Under "Filter criteria", select the Filter Category "Traffic Normalization, Exploits, and Vulnerabilities", select the "Filter Name" section and type "ddos". If the following filter names produced in the search list are not set to Block+Notify, this is a finding. Note: If the site has set up a security profile (i.e., not using the default profile), then this should be inspected using the site's SSP for compliance.

Check Text ( C-45467r838220_chk )

1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile.
2. If there is not one configured, select "Default".
3. Click "Search".
4. Under "Filter criteria", select the Filter Category "Traffic Normalization, Exploits, and Vulnerabilities", select the "Filter Name" section and type "ddos".

If the following filter names produced in the search list are not set to Block+Notify, this is a finding.

Note: If the site has set up a security profile (i.e., not using the default profile), then this should be inspected using the site's SSP for compliance.

Fix Text (F-45425r840190_fix)
1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile. 2. If there is not one configured, select "Default". 3. Click "Search". 4. Select the Filter Category "Traffic Normalization, Exploits, and Vulnerabilities". Select the "Filter Name" section and type "ddos". 5. Set all the items in the search to Block+Notify. Note: If the site has set up a security profile (i.e., not using the default profile), then this should be inspected using the site's SSP for compliance.

Fix Text (F-45425r840190_fix)

1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile.
2. If there is not one configured, select "Default".
3. Click "Search".
4. Select the Filter Category "Traffic Normalization, Exploits, and Vulnerabilities". Select the "Filter Name" section and type "ddos".
5. Set all the items in the search to Block+Notify.

Note: If the site has set up a security profile (i.e., not using the default profile), then this should be inspected using the site's SSP for compliance.