I work in a SOC that provides real-time alerting and monitoring for quite a few rather important networks

without going into too much details that many of you would get lost in, I noticed a doo doo ton of odd traffic in the secondary IDS console,

we'll just say that event alerts in that section typically range from 1 or 2 events of the same time / origin / target etc, to maybe 1-2,000

well there were like 5 sets of portscan / ICMP event alerts that were pooling in the millions and billions

so I brought it up to one of the analysts in the room with me and started the process of contacting the client, which it became more of contacting the servicer of the client *eyeroll..* that's always fun!

Anyway, so if you've understood it this far you're doing good.. to recap we were calling the servicer about ICMP traffic that had event totals in the several billions (that's a bunch... you're talking 64-100 Gigs of abnormal traffic) there's connectivity tools that can cause this if left running for long periods of time, useful to see if/when a webserver you're doing maintenance on comes back up.. or something .. i personally don't use them

well anyway, it appeared that one had been left on.. or several had been left on..

so anyway, to the call

the first call to the servicer was met with "Oh.. we don't do "Banks" we do "Hotels"

so the second call finally gets to the right department / area and upon the analyst telling the guy that it was abnormal icmp traffic in the volume of "a Heck of a Lot" the guy said Uhhhh.. Here's my supervisor

So the super gets on, and the information was repeated, and the super asks..

What protocol is ICMP

Answer? - Um.. ICMP is the ICMP protocol...

Well.. atleast tell me what port its directed at...

Answer? - Uh.. Well ya see. ICMP typically isn't directed towards any particular port.. it's basically what occurs when you go to a command line and type Ping X.X.X.X ........

Oh... well uh.. Oh..

Answer? - It's internal to internal, and here's the origin IP address.. which is what you need to know...


I went home not long after that, because it doesn't get much better than a middleman company who one of your clients depends on for alert notification and local security policy having an IT supervisor ask those two insanely stupid questions (atleast from an IT Networking perspective..)

_________________
03 Renegade (Black)
177k miles 3.7L gas - 45RFE
Command Trac / 4.10s
Lift: ft. 790+ rr. JBA4+
The last of the TrailReady Front&Rear Bumpers and TR Rock Rails
Jarhead Offroad light covers
31x10.5R15 RedLetter Grabbers on Blackrock Dunes
L.O.S.T #KD098632

Kind of scary if you ask me.
I know most people only deal with UDP & TCP, but an IT supervisor should know more than just the basics. I hope he doesn't have anything to do with network security.

_________________
Take the road less traveled.

he was the supervisor..

of a certain ISP's Network Operations Center .......

*snicker snicker...*

_________________
03 Renegade (Black)
177k miles 3.7L gas - 45RFE
Command Trac / 4.10s
Lift: ft. 790+ rr. JBA4+
The last of the TrailReady Front&Rear Bumpers and TR Rock Rails
Jarhead Offroad light covers
31x10.5R15 RedLetter Grabbers on Blackrock Dunes
L.O.S.T #KD098632

Wow. That's sad the supervisor only knew that much....but funny at the same time too.

_________________
Originally Posted by m_volyrakis
"I recently removed my girlfriend.
Although this mode didn't affect my ground clearance, it drastically improved my off-road capabilities!"

Really sad ...

Maybe it was his first day on the job.

_________________
DIRTY KJ :: flickr photostream
"Primitive life is very common and intelligent life is fairly rare ... some would say it has yet to occur on Earth" --- Stephen Hawking

"What protocol is ICMP "

fired after that statement.

_________________
-=Stock, but goin' places=-

04 3.7 Sport.
Auto Trans
Yokohama Geolandar AT/S 235/70/R16
Garmin GPS on RAM Mount

Mileage Trend:

I'm glad that your noc has supers like that, keeps the rest of us working.

I used to work for true position (a company that installs e-911 hardware on gsm networks aka cingular) One of my Co workers
Who was supposed to be testing a t1 for a down after commission tower, instead unplugged a t1 span that killed the billing system for la county, san diego county, and orange county, while testing the wrong network, he was interrupted by his watches alarm, notifying him it was lunch time. He left the span unplugged lying on the ground. For 6 hours. I just HAPPENED to walk down that row and see it laying there. all i can say is, wow. No redundancy. Amazing.

"i don't design this crap i just work on it"

_________________
06 CRD Limited. IMII, GDE TCM, Carter transfer pump, Upgraded oem primary, 2 micron secondary, 3 inch mandrel straight pipe.
Transgo shift kit, EHM, fcv butterfly removed, egr plated off. 19 3/8 solid flex fan, no electric fan, 10k lb aux trans cooler.
Frankenlift II, Mopar skids, allj's rails, 235/85 km2 on stock rims

most of our clients IDS systems even have redundancy

one outside the firewall and one inside, then HIDS and what not

we also operate some Catbirds but i don't have any real experience with those since they're IDS inside a VPN or encrypted tunnel


but.. our work moto is, if you ain't breakin nothin, you ain't workin'

_________________
03 Renegade (Black)
177k miles 3.7L gas - 45RFE
Command Trac / 4.10s
Lift: ft. 790+ rr. JBA4+
The last of the TrailReady Front&Rear Bumpers and TR Rock Rails
Jarhead Offroad light covers
31x10.5R15 RedLetter Grabbers on Blackrock Dunes
L.O.S.T #KD098632

_________________
http://www.Colorado4Wheel.com
"Its not about what you can DO with your Jeep, its about where you can GO with your Jeep."
Knowledgeable - But Caustic

hahaha

i just sent that to the guys at work

that's good

_________________
03 Renegade (Black)
177k miles 3.7L gas - 45RFE
Command Trac / 4.10s
Lift: ft. 790+ rr. JBA4+
The last of the TrailReady Front&Rear Bumpers and TR Rock Rails
Jarhead Offroad light covers
31x10.5R15 RedLetter Grabbers on Blackrock Dunes
L.O.S.T #KD098632