Blackhole and Wireless Turnoff Handling Information
Campus computers identified by DoIT Security as being compromised will have their network access disabled. For Campus Network (wired) users, this means their computer's IP address is will be blackholed. For campus wireless users, this means their NetID will not longer be able to authenticate.
Note: Blackhole refers to a network computer that has been taken off the network by DoIT Security. The computer is still physically connected to the network, and has a valid IP address, however, campus routers are instructed to discard packets to and from this machine. For the computer user, this means that any network connections they try will not work (web pages cannot be displayed, email clients will timeout, they cannot ping things, etc).
-
Service Users: Users of compromised computers attempting to connect to the UW Madison networks.
-
Availability: 24 x 7 by the SNCC.
-
Server Information: None
-
Unique Support Conditions: Customers can have their computers checked in to Repair for virus/malware removal. If they would like to do this, see Virus or Malware Handling Information.
- Virus or Malware Handling Information explicitly outlines what needs to be done by a customer in order to remove a blackhole.
Select an appropriate service, category and subcategory from the options below.
- Security
- BadgIRT
- Submit Incident
For ALL incidents, gather the following minimum required information:
Clear, detailed description of the problem
Complete customer contact information
Copy/paste the following additional required information into the WiscIT Description field:
Click the text box to select all, copy with Ctrl+C.
Example Case:
- NetID (Wireless UWNet users only): bbadger
- Is this the only computer that accesses Wireless UWNet with that NetID?: Yes
- LAN Admin contact name (Campus Network users only): N/A
- IP address(es) to be unblocked (Campus Network users only): N/A41
- Date of the Virus Definitions (these should be within the last three weeks): August 20th (four days ago)
- Viruses that were found (can be found in the scan history): Trojan-Spy.Win32.Zbot
- Has customer installed current Windows service packs and patches? If not, ask customer to install auto updater: Yes, Windows is completely up-to-date
Response time for removing a blackhole is 2 hours.
For a visual depiction of this workflow, see the following image: Process Diagram
-
The Help Desk receives one or more customer contacts for an issue that is identified as a potential outage.
-
HDQA checks the outages page for any related open planned outages. HDQA then chats SNCC via Service Support Chat Room and confirms an outage should be declared.
-
If an outage is identified, SNCC should immediately begin creating an Outage.
-
HDQA receives the Incident from the agent(s) who handled the initial contact(s).
-
HDQA creates a problem in Cherwell by selecting New > Problem. HDQA then fills out the fields in the Identify and Classify section of the Problem with the information they gathered from the Incident(s). For assistance with Problem creation, reference: Help Desk Training - Create a Problem in WiscIT without the Problem Manager or Help Desk Training - Create a Problem in WiscIT with the Problem Manager.
-
When the Problem has been created and saved, HDQA clicks the team name in the Owned by pane and assigns the Problem to 'SNCC-Sysops' or 'SNCC-Network' as directed by the service handling doc or SNCC staff.
-
SNCC receives the Problem and links the Problem to the Outage from the Problem screen.
-
HDQA links the original Incident(s) and any additional relevant Incidents they have received to the Problem. For instructions on performing this step, see WiscIT - Linking an Incident to a Problem.
-
As calls continue to come in, Help Desk agents should link the Incidents to the Problem themselves. Level 1 agents should simply save the Incident at this stage; do NOT resolve these Incidents or escalate them to HDQA.
-
When the outage is resolved, SNCC will go into the open Problem and select the Resolve Attached Incidents link on left side of screen; this will email all customers that their Incidents should be resolved. The email will direct customers to contact the Help Desk if they believe the issue is still occurring.
-
If the problem needs follow-up investigation, SNCC will assign the Problem to the appropriate team.
None.