Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

IPS Management interface under attack!

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • Platform:
Summary
There are many reasons that might cause the "Management interface under attack" message to appear in the SMS System Log.  This can happen when the system is actually being attacked, it is under some form of port scan,  or most likely, the system management interface is receiving packets directed to ports other than 80, 443, 22 or 23 (HTTP, HTTPS, SSH, Telnet).  Typically this is a result of the device's "management interface" being in the same network segment with other switching and routing devices.  
Details
Public

Routing/switching devices, DHCP servers/clients, and mis-configured network devices can generate excessive amounts of broadcasts traffic that end up being sent to all hosts on a segment. The management ports on TippingPoint devices do not discern anything other than they are receiving packets that are not using ports which they consider valid forms of communication (i.e.: 80, 443, 22, 23).  Any packets (broadcast or otherwise) that end up being sent to the management IP address of your IPS/SMS/CC devices will be logged as "Invalid" and upon reaching a threshold will cause alerts to be sent to the log files. 

In order to prevent these notification from occurring TippingPoint recommends the following: 

1) Configure the Management Interface to be on an isolated VLAN or segment or to only be reachable from the internal network.

2) Configure the Management Interface via the CLI to restrict traffic to/from specific hosts.


        - to limit management interface access to one host: conf t host ip-filter permit ip <ip address> <mask>
        
- 
to restrict a specific IP address from accessing the management interface issue the following command: conf t host ip-filter deny ip <ip address> <mask>
        - to remove the filter restriction issue the following command: conf t host ip-filter permit ip any

 

Note: When configuring the access control list as seen in step 2, always allow the terminal that you are currently logged in from. This is due to the fact that the IPS implements the ACL immediately, and changes the allow-all at the bottom of the list to deny-all by default. Allowing a different terminal first will result in the termination of the SSH session.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000086196
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.