GreyNoise Intelligence has been tracking a mysterious and increasingly concerning phenomenon since January 2020: massive waves of spoofed traffic, known as “Noise Storms.” These events have stumped cybersecurity experts and now pose new, complex risks, demanding attention from security professionals worldwide. These persistent mysteries add new layers of complexity to the cybersecurity landscape, prompting security leaders to reevaluate their defenses and ensure they are equipped with the right tools for an ironclad security posture.
We discussed this in detail in this week’s episode of Storm⚡Watch which you can view or listen to for a broader context.
Executive Summary
Multiple Theories, No Clear Explanation
Despite ongoing research, no definitive explanation for these mysterious storms has emerged. Experts debate they could represent covert communications, Distributed Denial of Service (DDoS) attacks, or misconfigurations, leaving critical questions unanswered.
Global and Targeted Impact
Millions of spoofed IPs are flooding key internet providers like Cogent and Lumen while strategically avoiding AWS — suggesting a sophisticated, potentially organized actor with a clear agenda.
International Connection
Although traffic appears to originate from Brazil, deeper connections to Chinese platforms like QQ, WeChat, and WePay raise the possibility of deliberate obfuscation, complicating efforts to trace the true source and purpose.
Sophisticated Tactics
Advanced techniques such as TTL manipulation, OS emulation, and precise targeting make these Noise Storms not only difficult to detect but challenging to block.
These characteristics suggest a sophisticated actor with specific goals, but the ultimate purpose remains elusive.
Noise Storms: What GreyNoise is Seeing
Noise Storms typically manifest as millions of spoofed IP addresses generating highly unusual network activity, primarily focusing on TCP connections to port 443 (HTTPS) and ICMP packets — leaving cybersecurity experts perplexed.
Interestingly, we've observed almost no UDP traffic associated with these events, making detection tools fine-tuned for UDP-based attacks less effective.
Recent traffic suggests Brazil as the apparent origin of these spoofed packets, but we believe this is likely another layer of obfuscation, adding to the growing uncertainty about the true source.
In our ongoing monitoring, several intriguing characteristics have emerged:
- Intelligent TTL Spoofing: Time To Live (TTL) values are set between 120 and 200, mimicking realistic network hops.
- OS Emulation: TCP traffic cleverly spoofs window sizes to emulate packets from various operating systems.
- Targeted Approach: Recent storms have become more focused, hitting smaller segments of the internet with increased intensity.
- Selective Targeting: While earlier storms impacted a broad range of infrastructure, recent events have notably avoided AWS while still affecting other major providers like Cogent, Lumen, and Hurricane Electric.
These characteristics suggest a sophisticated actor with an agenda; however, the purpose of these activities remains unclear to experts.
A Secret Message? The "LOVE" Mystery
A curious feature of recent Noise Storms is the inclusion of the ASCII string "LOVE" embedded within the ICMP packets, along with other varying bytes. This seemingly benign message only adds to the intrigue, leaving experts questioning whether these storms might serve as a covert communication channel
The China Link: Harmless or Something More?
Our analysis has revealed that the Autonomous System Number (ASN) associated with the ICMP traffic is linked to a Content Delivery Network (CDN) servicing major Chinese platforms like QQ, WeChat, and WePay. This connection raises further concerns about deliberate obfuscation, suggesting that more sophisticated actors could be involved.
Potential Motivations and Consequences
Despite years of observation and analysis, the true nature of Noise Storms remains elusive. Theories within the cybersecurity community include:
- Covert communication channels
- Sophisticated DDoS attempts
- Misconfigured routers
- Elaborate command and control mechanisms
- Attempts to create network congestion for traffic manipulation
The persistence and evolution of Noise Storms over four years underscore the complexity of modern cyber threats. As these events continue to adapt and puzzle researchers, they serve as a reminder of the ever-changing landscape of internet security.
Key Actions for Security Professionals
Noise Storms are a reminder that threats can manifest in unusual and bizarre ways, highlighting the need for adaptive strategies and tools that go beyond traditional security measures. Here are some key takeaways for security leaders:
- Prioritize What Matters: With an overwhelming number of alerts, it’s critical to employ tools that cut through irrelevant noise and prioritize actionable threats.
- Optimize Resource Efficiency: With security teams under immense pressure, solutions that reduce false positives can help optimize time and resources.
- Be Proactive: Reactivity is no longer sufficient. Noise Storms demonstrate that security is about anticipating and mitigating risks before they cause disruption.
- Use Actionable Intelligence: Sophisticated threats require real-time, actionable intelligence capable of detecting traffic anomalies like Noise Storms — and any black swan that may follow.
GreyNoise Intelligence remains committed to investigating this phenomenon and will continue to share our findings with the cybersecurity community. We encourage network operators and security researchers to remain vigilant and report any similar observations to help unravel this ongoing internet mystery.
Join the Investigation
We’ve published packet captures (PCAPs) of the two recent storm events up in GitHub for the community to poke at. We’d love to know what you find! You can contact us at research@greynoise.io with any questions or discoveries.