Handout C: Help Desk Ticket Summary

Selection of help desk tickets from July 13-20, 2001. These show user-facing impact during the initial Code Red infection wave and subsequent campus response.

Incident Ticket Summaries

TICKETS: July 13, 2001 (Initial Infection Wave)

Ticket #4521 — 14:15 UTC

From: Dr. Michael Johnson (Professor, Computer Science)
Subject: Computer Science Website Defaced - URGENT
Description: My research group’s website is showing “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” instead of my NSF grant research information. This happened without any warning. I need immediate restoration.
Status: ESCALATED
IM Response: This is affecting multiple web servers. Likely coordinated attack. Escalating to network security team.

Ticket #4523 — 14:47 UTC

From: Lisa Rodriguez (Student Services)
Subject: Course Registration Portal - Error Messages
Description: Students are reporting error messages when accessing the summer course registration system. I’m getting 10+ calls per hour. Students cannot register for fall courses.
Status: ESCALATED
IM Response: Web server infrastructure under attack. Alternative registration being arranged.

Ticket #4526 — 15:12 UTC

From: Kevin Zhang (Network Administrator)
Subject: Help Desk - ALL SERVERS: Unusual Traffic Pattern
Description: Our network monitoring shows extremely high outbound scanning traffic originating from our web servers. Appears to be automated. Multiple servers compromised. I need help desk to record calls for impact assessment.
Status: CRITICAL - INCIDENT DECLARED
IM Response: Beginning incident investigation. Coordinating with campus administration.

TICKETS: July 14, 2001 (Exponential Spread)

Ticket #4538 — 08:30 UTC

From: Physics Department (20+ callers)
Subject: Physics Department Web Server Down
Description: Physics website displaying defacement. Also reporting extremely slow network access across department servers.
Status: CRITICAL
IM Response: Deploying patch to Physics servers. Expect 30-minute downtime during patch.

Ticket #4541 — 09:15 UTC

From: Engineering Department (15+ callers)
Subject: Engineering Portal and Research Data Access - Down
Description: Multiple servers in the engineering complex affected. Research data repositories inaccessible. Lab equipment that depends on network services offline.
Status: CRITICAL
IM Response: Patching in progress. Parallel systems being activated.

Ticket #4544 — 11:00 UTC

From: Help Desk Supervisor
Subject: Help Desk Queue Overflow - 340+ Calls Pending
Description: We’re receiving 100+ calls per hour from students, faculty, and staff reporting website defacements, access errors, and network slowness. Our phone system is saturated. Queue time: 45+ minutes.
Status: CRITICAL - ALL HANDS RESPONSE
IM Response: Emergency all-hands mobilization. Escalating to dean’s office for communication strategy.

Ticket #4549 — 14:30 UTC

From: Dean’s Office
Subject: Media Inquiry - University Hacked?
Description: Multiple news outlets (CNN, MSNBC) are calling asking about “Chinese hackers attacking the university.” We need prepared statement. Approximately how long until restoration?
Status: URGENT
IM Response: Estimated 8-12 hours for patch deployment to 300+ servers. Reputation impact significant. Recommending transparent communication.

Ticket #4552 — 16:45 UTC

From: Student Government President
Subject: Student Concerns - Is the University Secure?
Description: Students are discussing the attack on social media and messaging boards. Concerns about personal data security, academic records, email systems. Need official statement from IT.
Status: MEDIUM
IM Response: No evidence of data breach. Defacement is HTML-level only. Personal data systems were not compromised.

TICKETS: July 19-20, 2001 (DDoS Phase - External Impact)

Ticket #4571 — 00:15 UTC (July 19)

From: Network Monitoring Alert
Subject: Campus Network: Massive Outbound Bandwidth to Specific Target (198.137.240.91)
Description: Automated alert: All infected servers are now sending traffic to IP 198.137.240.91 at maximum rates. This appears to be coordinated DDoS attack. Target confirmed to be the White House website.
Status: CRITICAL - NATIONAL SECURITY INCIDENT
IM Response: Documenting for law enforcement. Isolating infected servers. Notification being sent to ICS-CERT, FBI, NSA per emergency protocols.

Ticket #4579 — 06:00 UTC (July 20)

From: Law Enforcement - FBI Computer Crime Task Force
Subject: Code Red Investigation - University Cooperation Request
Description: FBI conducting investigation into Code Red worm. Requesting cooperation from university IT to preserve logs and evidence. May need to brief law enforcement on network architecture and response.
Status: LEGAL/COMPLIANCE
IM Response: Full cooperation. Legal counsel briefed. Evidence preservation in place.

Help Desk Call Volume Analytics

Daily Call Volume and Average Resolution Time

Date        | Total Calls | Peak Hour | Avg Wait Time | Resolution Rate
────────────┼─────────────┼──────────┼───────────────┼────────────────
July 12     | 45          | 2 PM     | 2 min         | 95%
July 13     | 320         | 3 PM     | 18 min        | 40%
July 14     | 1,200       | 11 AM    | 45 min        | 25%
July 15     | 950         | 9 AM     | 32 min        | 35%
July 16     | 720         | 10 AM    | 22 min        | 50%
July 17     | 480         | 1 PM     | 12 min        | 68%
July 18     | 280         | 3 PM     | 6 min         | 85%
July 19     | 620         | 2 AM     | 28 min        | 15%  (DDoS phase begins)
July 20     | 350         | 8 AM     | 8 min         | 80%  (Recovery)

IM NOTES (Do Not Show to Players): Key observations:

Exponential User Impact: Call volume peaks at 1,200 calls/day when it should be ~45 calls/day. A 27x increase in support demand.
Resolution Rate Collapse: Normal 95% resolution rate drops to 25% during peak infection (July 14). Help desk staff are overwhelmed dealing with widespread infrastructure failure.
DDoS Phase Spike (July 19): Even after patches are deployed, the DDoS attack causes another spike in calls because the university itself is participating in an attack on the White House – this raises legal/compliance concerns.
Reputation Damage: Media inquiries and student concerns reflect not just the technical attack, but the public perception of a security breach. In reality, only HTML-level defacement occurred (no data stolen), but perception damage was significant.
Recovery: By July 20, with patches deployed and infected servers cleaned, the university network stabilizes. Call volume returns to normal by July 21.

Impact Summary

Category	Impact
Servers Affected	127 out of 300+ IIS servers infected
Students Unable to Register	15,000+ students affected for 48+ hours
Teaching Disruption	200+ course websites defaced
Faculty Research Impact	Research data repositories offline for 36+ hours
Reputation	National media coverage; “Chinese hackers” narrative (unverified)
Regulatory Exposure	Federal student data protection questions raised
Recovery Cost	$800K+ (staff overtime, emergency patching, reputation management)

Key Discovery Questions

What does the help desk ticket volume tell you about attack severity?

A 27x increase in support demand indicates widespread infrastructure failure affecting every user-facing service. This is not a localized breach – it’s systemic.

Why would the FBI become involved on July 20?

Because the university’s own servers were unknowingly participating in a DDoS attack against United States government infrastructure (the White House). This crossed the line from “computer intrusion” to “critical infrastructure attack” and became a federal criminal investigation.

IM Facilitation Notes

This handout shows the user-facing and organizational impact of the technical attack:

Help desk escalation and resource saturation
Reputation damage in media
Student/faculty concerns about data security
Transition from technical incident to criminal/federal matter