Mysterious “Noise Storms” Have Been Hitting the Internet Since 2020

Since January 2020, GreyNoise Intelligence has been tracking a puzzling phenomenon known as “Noise Storms”—massive waves of spoofed internet traffic that continue to perplex cybersecurity experts.

These events, characterized by millions of spoofed IP addresses, are evolving in complexity, posing new challenges to defenders across the globe. Despite ongoing research, the true purpose and origin of these attacks remain shrouded in mystery, with possible connections to covert communication networks, Distributed Denial of Service (DDoS) attacks, or misconfigured routers.

Evolving tactics and potential theories

Noise Storms are primarily composed of TCP traffic targeting port 443 (HTTPS) and ICMP packets, but they notably lack UDP traffic, a common vector in similar attacks. These events exhibit signs of high-level coordination and technical proficiency:

• TTL Spoofing: Time to Live (TTL) values are manipulated to mimic legitimate internet hops, typically ranging between 120 and 200.
• OS Emulation: TCP packets are crafted to spoof window sizes, mimicking traffic from various operating systems.
• Selective Targeting: Recent storms have become more focused, hitting smaller segments of the internet with greater intensity. Notably, they avoid Amazon Web Services (AWS) while impacting providers like Cogent, Lumen, and Hurricane Electric.

While these storms initially seemed like large-scale, indiscriminate attacks, the targeting has grown more refined, suggesting a highly organized actor. This sophistication is coupled with a key discovery: spoofed traffic appears to originate from Brazil, yet further analysis points to obfuscation, potentially masking deeper ties to Chinese platforms such as QQ, WeChat, and WePay. This international connection adds a layer of geopolitical complexity to the case.

The enigmatic “LOVE” message

One of the most perplexing features of the latest Noise Storms is the discovery of the ASCII string “LOVE” embedded within ICMP packets. This seemingly innocent message has confounded researchers, sparking speculation that the storms might be a covert communication channel. The appearance of such a specific, intentional string raises questions about whether these events serve as signals or commands exchanged between entities, hidden in the noise of internet traffic.

GreyNoise’s analysis revealed that the Autonomous System Number (ASN) tied to the ICMP traffic is linked to a Content Delivery Network (CDN) servicing prominent Chinese platforms. This connection has led experts to theorize that the attacks could be attempts to obfuscate the true origin of the traffic. While Brazil is the reported origin, the sophistication and selective targeting imply a more calculated operation, potentially involving state actors or large, organized entities.

This connection with major Chinese platforms raises concerns about the true intentions behind these attacks. Whether it is simply misdirection or part of a broader, coordinated campaign remains to be seen.

GreyNoise has been at the forefront of studying these mysterious Noise Storms for over four years, diligently capturing data and sharing findings with the wider security community. The organization has made packet captures (PCAPs) of the two recent storm events available on GitHub, inviting researchers to help unravel this ongoing enigma. These captures contain samples of the TCP and ICMP traffic observed in recent months, providing a valuable resource for further investigation.