GreyNoise Intelligence captures mysterious "noise storms" on the Internet.
Since January 2020, GreyNoise Intelligence has been tracking an unusual phenomenon in cyberspace — large-scale waves of fake traffic, dubbed "Noise Storms". The phenomenon baffles cybersecurity experts and creates new complex risks, requiring the attention of security professionals around the world.
Despite ongoing research, there is still no clear explanation for the origin of these mysterious "storms". Experts have theories ranging from covert communication channels and distributed denial-of-service (DDoS) attacks to misconfigured routers.
"Noise storms" are characterized by millions of fake IP addresses generating highly unusual network activity. Most of the traffic is directed to port 443 (HTTPS) and uses the ICMP protocol. Interestingly, UDP traffic is virtually non-existent, making it difficult to detect attacks with tools configured to detect UDP attacks.
While the latest data points to Brazil as the alleged source of the fake packages, experts believe that this is likely another layer of disguise. The analysis showed the connection of the autonomous system (ASN) associated with ICMP traffic to the content delivery network (CDN) serving major Chinese platforms such as QQ, WeChat and WePay. This connection raises further concerns about the possible involvement of more difficult players.
"Noise storms" demonstrate a high level of complexity and purposefulness:
A curious feature of recent "noise storms" is the inclusion of the ASCII string "LOVE" embedded in ICMP packets along with other byte-changing ones. This seemingly innocuous message only adds to the intrigue, leading experts to wonder if these "storms" are serving as a covert channel of communication.
GreyNoise Intelligence urges network operators and security researchers to remain vigilant and report any such sightings to help solve this ongoing internet mystery. The company has published packet captures (PCAPs) of two recent storm events on GitHub for community review.
GreyNoise Intelligence experts emphasize that "noise storms" are a reminder that threats can manifest themselves in unusual and bizarre ways. Security professionals are encouraged to:
Since January 2020, GreyNoise Intelligence has been tracking an unusual phenomenon in cyberspace — large-scale waves of fake traffic, dubbed "Noise Storms". The phenomenon baffles cybersecurity experts and creates new complex risks, requiring the attention of security professionals around the world.
Despite ongoing research, there is still no clear explanation for the origin of these mysterious "storms". Experts have theories ranging from covert communication channels and distributed denial-of-service (DDoS) attacks to misconfigured routers.
"Noise storms" are characterized by millions of fake IP addresses generating highly unusual network activity. Most of the traffic is directed to port 443 (HTTPS) and uses the ICMP protocol. Interestingly, UDP traffic is virtually non-existent, making it difficult to detect attacks with tools configured to detect UDP attacks.
While the latest data points to Brazil as the alleged source of the fake packages, experts believe that this is likely another layer of disguise. The analysis showed the connection of the autonomous system (ASN) associated with ICMP traffic to the content delivery network (CDN) serving major Chinese platforms such as QQ, WeChat and WePay. This connection raises further concerns about the possible involvement of more difficult players.
"Noise storms" demonstrate a high level of complexity and purposefulness:
- Intelligent TTL spoofing: Time To Live values are set between 120 and 200, simulating realistic network transitions.
- Operating system emulation: TCP traffic is adept at spoofing window sizes to simulate packets from different operating systems.
- Targeted approach: Recent storms have become more focused, attacking smaller segments of the internet with increased intensity.
- Selective targeting: While early storms affected a wide range of infrastructure, recent events have notably bypassed AWS, continuing to impact other major providers such as Cogent, Lumen, and Hurricane Electric.
A curious feature of recent "noise storms" is the inclusion of the ASCII string "LOVE" embedded in ICMP packets along with other byte-changing ones. This seemingly innocuous message only adds to the intrigue, leading experts to wonder if these "storms" are serving as a covert channel of communication.
GreyNoise Intelligence urges network operators and security researchers to remain vigilant and report any such sightings to help solve this ongoing internet mystery. The company has published packet captures (PCAPs) of two recent storm events on GitHub for community review.
GreyNoise Intelligence experts emphasize that "noise storms" are a reminder that threats can manifest themselves in unusual and bizarre ways. Security professionals are encouraged to:
- Prioritize what's important: Use tools that weed out irrelevant noise and highlight the threats that are genuinely dangerous.
- Optimize resources: Apply solutions that reduce false positives.
- Be proactive: Anticipate and mitigate risks before they cause disruptions.
- Use practical intelligence: Apply tools capable of detecting traffic anomalies in real time.
