Researchers Investigate Mysterious “Noise Storms” in Global Internet Traffic
Experts from GreyNoise have reported that since January 2020, they have been observing large waves of so-called “Noise Storms” containing distorted internet traffic. Despite thorough analysis and years of monitoring, researchers have not been able to determine the origin or purpose of these “noises.”
Analysts believe that the “noises” could be related to secret communications, signals for coordinating DDoS attacks, hidden channels for controlling malware, or could simply be the result of misconfigurations. An intriguing aspect of the phenomenon is the presence of the ASCII string “LOVE” in observed ICMP packets, which adds even more confusion to the situation.
GreyNoise has published their theories about the “Noise Storms” in hopes that the global cybersecurity community can help solve the mystery and uncover the cause of these traffic anomalies.
Fake Traffic Waves and Their Characteristics
Researchers have reported observing waves of fake internet traffic originating from millions of spoofed IP addresses from various sources, including CDNs of Chinese platforms like QQ, WeChat, and WePay. These “storms” generate massive waves of traffic directed at specific providers (such as Cogent, Lumen, and Hurricane Electric), while avoiding others, particularly Amazon Web Services (AWS).
This traffic is mainly focused on TCP connections (especially through port 443), but there are also many ICMP packets, which have recently included the embedded ASCII string “LOVE,” as shown in the screenshot below.
It is also noted that parameters such as the TCP window size are altered to emulate different operating systems, making this activity harder to detect. The Time to Live (TTL) values, which determine how long a packet remains in the network before being discarded, are set between 120 and 200 to mimic real network transitions.
Possible Intentions and Ongoing Investigation
Researchers say that overall, the format and characteristics of these “Noise Storms” look more like the deliberate work of a skilled individual rather than large-scale side effects of misconfigurations. In other words, the strange traffic imitates normal data flows, but its true purpose remains a mystery.
GreyNoise analysts have already published PCAP data from two recent “Noise Storms” on GitHub, inviting other cybersecurity researchers to join the investigation and share their thoughts on what is happening. A detailed account of their findings regarding the “Noise Storms” has also been published by GreyNoise on YouTube.