Notes and receipts (PCAPs) for TCP and ICMP Noise Storms
See this episode of Storm⚡️Watch for more information.
brazil-storm-small-tcp-sample/: sample of a TCP Noise Storm mentioned in the episodenoise-storm-icmp-brazil/: full capture of the ICMP Noise Storm mentioned in the episodeNoise Storms are large-scale spoofed packet events first observed in January 2020, coinciding with the U.S. military action against Iranian General Soleimani.
They involve millions of spoofed IP addresses, primarily appearing to originate from Brazil in recent months.
The traffic is mostly TCP (port 443) and ICMP, with no UDP traffic observed.
Recent ICMP packets contain the ASCII string "LOVE" embedded in them, along with other varying bytes.
TTLs are intelligently spoofed, typically between 120 and 200.
The storms have evolved to be more targeted, hitting smaller parts of the internet but with increased intensity.
They often coincide with significant geopolitical or military events.
The TCP traffic intelligently spoofs window sizes to mimic packets from various operating systems.
Recent storms have avoided AWS but hit other providers like Cogent, Lumen, and Hurricane Electric.
The ASN for the ICMP traffic is associated with a CDN organization servicing QQ, WeChat, and WePay.
Possible theories include covert communications, DDoS attempts, misconfigured routers, command and control mechanisms, or attempts to create network congestion for traffic manipulation.
The purpose and origin of these Noise Storms remain unknown despite ongoing investigation for over four years.