The TPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242192	TIPP-IP-000270	SV-242192r710119_rule		Medium

Description
If the network does not provide safeguards against DoS attack, network resources will be unavailable to users. Installation of TPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the IDPS component vendor. These attacks include SYN-flood, ICMP-flood, and Land Attacks. This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

Description

If the network does not provide safeguards against DoS attack, network resources will be unavailable to users. Installation of TPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the IDPS component vendor. These attacks include SYN-flood, ICMP-flood, and Land Attacks. This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

STIG	Date
Trend Micro TippingPoint IDPS Security Technical Implementation Guide	2021-06-09

Details

Check Text ( C-45467r710117_chk )
1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile. 2. If there is not one configured, select "Default". 3. Click "Search". 4. Under "Filter criteria", select all "Filter categories". Select the "Filter Name" section and type "ddos". If the following filter names are not set to Block+Notify, this is a finding: - 10725: TCP: LOIC DDoS Tool - 12624: TCP: itsoknoproblembro DDoS Tool - 12641: UDP: itsoknoproblembro DDoS Tool - 12899: HTTP: Vertigo DDoS Tool - 19918: HTTP: Kill 'em All DDOS Attack

Check Text ( C-45467r710117_chk )

1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile.
2. If there is not one configured, select "Default".
3. Click "Search".
4. Under "Filter criteria", select all "Filter categories". Select the "Filter Name" section and type "ddos".

If the following filter names are not set to Block+Notify, this is a finding:
- 10725: TCP: LOIC DDoS Tool
- 12624: TCP: itsoknoproblembro DDoS Tool
- 12641: UDP: itsoknoproblembro DDoS Tool
- 12899: HTTP: Vertigo DDoS Tool
- 19918: HTTP: Kill 'em All DDOS Attack

Fix Text (F-45425r710118_fix)
1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile. 2. If there is not one configured, select "Default". 3. Click "Search". 4. Under "Filter criteria", select all "Filter categories". Select the "Filter Name" section and type "ddos". 5. Ensure all the following are set to Block+Notify: - 10725: TCP: LOIC DDoS Tool - 12624: TCP: itsoknoproblembro DDoS Tool - 12641: UDP: itsoknoproblembro DDoS Tool - 12899: HTTP: Vertigo DDoS Tool - 19918: HTTP: Kill 'em All DDOS Attack

Fix Text (F-45425r710118_fix)

1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile.
2. If there is not one configured, select "Default".
3. Click "Search".
4. Under "Filter criteria", select all "Filter categories". Select the "Filter Name" section and type "ddos".
5. Ensure all the following are set to Block+Notify:
- 10725: TCP: LOIC DDoS Tool
- 12624: TCP: itsoknoproblembro DDoS Tool
- 12641: UDP: itsoknoproblembro DDoS Tool
- 12899: HTTP: Vertigo DDoS Tool
- 19918: HTTP: Kill 'em All DDOS Attack