Notes and receipts (PCAPs) for TCP and ICMP Noise Storms
See this episode of Storm⚡️Watch for more information.
brazil-storm-small-tcp-sample/: sample of a TCP Noise Storm mentioned in the episodenoise-storm-icmp-brazil/: full capture of the ICMP Noise Storm mentioned in the episode
-
Noise Storms are large-scale spoofed packet events first observed in January 2020, coinciding with the U.S. military action against Iranian General Soleimani.
-
They involve millions of spoofed IP addresses, primarily appearing to originate from Brazil in recent months.
-
The traffic is mostly TCP (port 443) and ICMP, with no UDP traffic observed.
-
Recent ICMP packets contain the ASCII string "LOVE" embedded in them, along with other varying bytes.
-
TTLs are intelligently spoofed, typically between 120 and 200.
-
The storms have evolved to be more targeted, hitting smaller parts of the internet but with increased intensity.
-
They often coincide with significant geopolitical or military events.
-
The TCP traffic intelligently spoofs window sizes to mimic packets from various operating systems.
-
Recent storms have avoided AWS but hit other providers like Cogent, Lumen, and Hurricane Electric.
-
The ASN for the ICMP traffic is associated with a CDN organization servicing QQ, WeChat, and WePay.
-
Possible theories include covert communications, DDoS attempts, misconfigured routers, command and control mechanisms, or attempts to create network congestion for traffic manipulation.
-
The purpose and origin of these Noise Storms remain unknown despite ongoing investigation for over four years.