Ping Storms at GreyNoise
David Schuetz explored "ping storms" and ICMP traffic data from GreyNoise, analyzing packets with "LOVE" to investigate covert communication, but found flaws and misidentifications suggesting academic project involvement.
Read original article
David Schuetz discusses his exploration of "ping storms" observed by GreyNoise, a cybersecurity company that monitors internet background noise. During a recent talk at BSidesNoVA, Andrew Morris from GreyNoise highlighted a significant increase in ICMP traffic and incomplete TCP handshakes, which they refer to as "ping storms." Schuetz became intrigued by the data and began analyzing a smaller dataset provided by Morris. He developed a tool using the Scapy library to parse the data, focusing on ICMP packets that contained the word "LOVE" in their payload. Schuetz speculated on the possibility of covert communication through these packets, likening it to historical espionage methods. However, he identified several flaws in this theory, including the impracticality of the method and the limited data capacity of the packets. His analysis led him to discover that some packets were misidentified by Wireshark as "HIPERCONTRACER" packets, which are used for monitoring packet travel time. This revelation suggested that the observed traffic might be part of an academic project rather than covert communication. Schuetz's investigation illustrates the complexities of analyzing network traffic and the potential for misinterpretation in cybersecurity research.
- GreyNoise monitors internet background noise, including ICMP traffic and TCP handshakes.
- Schuetz analyzed ICMP packets containing the word "LOVE" to explore potential covert communication.
- He identified flaws in the theory of covert communication through ping storms.
- Some packets were misidentified as "HIPERCONTRACER," indicating they may be part of an academic project.
- The analysis highlights the challenges of interpreting network traffic in cybersecurity.
Related
Bringing insights into TCP resets and timeouts to Cloudflare Radar
Cloudflare launched a dashboard and API for real-time insights into TCP connection resets and timeouts, revealing that 20% of connections face issues, potentially indicating malicious activity or network errors.
Pixhell Attack: Leaking Info from Air-Gap Computers via 'Singing Pixels'
The PIXHELL attack enables data leakage from air-gapped computers by using screen-generated sound, transmitting sensitive information over 2 meters while employing evasion techniques and suggesting countermeasures for protection.
Mysterious "LOVE" packet storms flood the internet since 2020
GreyNoise has been monitoring "Noise Storms" since January 2020, characterized by spoofed traffic and a "LOVE" ASCII string, targeting specific ISPs and emphasizing the need for advanced cybersecurity strategies.
Notes and Receipts (PCAPs) for TCP and ICMP Noise Storms
The GitHub repository "2024-09-noise-storms" includes notes and PCAP files on TCP and ICMP Noise Storms, characterized by spoofed packets, geopolitical links, and various theories on their motivations.
Network Traffic Analysis of ICMP "Love" Noise Storms
David Schuetz shared insights from BSidesNoVA, discussing GreyNoise's monitoring of internet traffic, particularly ICMP spikes, and his findings on covert communication and packet analysis, highlighting challenges in interpreting network data.
4 commentsIt all reminds a lot of Dan Kaminskys classic presentations at DefCon where he found new and interesting places where that could fit and what you could do with it.
When I clicked on Graynoise corporate website to read their posts on it and it sounds pretty close to armageddon.
" Something is happening, we think you need to be really scared. The only thing that will help is to buy the services our startup provides you"
>These events have stumped cybersecurity experts and now pose new, complex risks, demanding attention from security professionals worldwide. These persistent mysteries add new layers of complexity to the cybersecurity landscape, prompting security leaders to reevaluate their defenses and ensure they are equipped with the right tools for an ironclad security posture.
> China China
>Prioritize What Matters: With an overwhelming number of alerts, it’s critical to employ tools that cut through irrelevant noise and prioritize actionable threats. Optimize Resource Efficiency: With security teams under immense pressure, solutions that reduce false positives can help optimize time and resources. Be Proactive: Reactivity is no longer sufficient. Noise Storms demonstrate that security is about anticipating and mitigating risks before they cause disruption. Use Actionable Intelligence: Sophisticated threats require real-time, actionable intelligence capable of detecting traffic anomalies like Noise Storms — and any black swan that may follow.
Related
Bringing insights into TCP resets and timeouts to Cloudflare Radar
Cloudflare launched a dashboard and API for real-time insights into TCP connection resets and timeouts, revealing that 20% of connections face issues, potentially indicating malicious activity or network errors.
Pixhell Attack: Leaking Info from Air-Gap Computers via 'Singing Pixels'
The PIXHELL attack enables data leakage from air-gapped computers by using screen-generated sound, transmitting sensitive information over 2 meters while employing evasion techniques and suggesting countermeasures for protection.
Mysterious "LOVE" packet storms flood the internet since 2020
GreyNoise has been monitoring "Noise Storms" since January 2020, characterized by spoofed traffic and a "LOVE" ASCII string, targeting specific ISPs and emphasizing the need for advanced cybersecurity strategies.
Notes and Receipts (PCAPs) for TCP and ICMP Noise Storms
The GitHub repository "2024-09-noise-storms" includes notes and PCAP files on TCP and ICMP Noise Storms, characterized by spoofed packets, geopolitical links, and various theories on their motivations.
Network Traffic Analysis of ICMP "Love" Noise Storms
David Schuetz shared insights from BSidesNoVA, discussing GreyNoise's monitoring of internet traffic, particularly ICMP spikes, and his findings on covert communication and packet analysis, highlighting challenges in interpreting network data.