DevSecOps

What is Low Orbit Ion Cannon (LOIC)

What is Low Orbit Ion Cannon (LOIC)

For a tool that can cause serious damage to a website, LOIC is relatively simple. What it does basically is to send multiple requests and flood a targeted IP with TCP or UDP packets or HTTP requests.

One person cannot single handedly use LOIC to cause DoS, so a number of users have to come together to attack the website of a target, slow down its server by sending multiple requests and causing traffic. 

The Low Orbit Ion Cannon has enjoyed mass adoption because of its simplicity, anybody can use it. The best way to carry out a coordinated attack is in hivemind mode. This mode allows the group of attackers connects to an IRC (Internet Relay Chat) channel. 

The attackers send a command through the hivemind mode, this command contains attack details and target systems. This mode allows one user gain full control over the LOIC. This is achievable with the use of a voluntary botnet. 

LOIC has limitations, probably because it was not originally designed to serve this purpose (this will be discussed in this article). For starters, there is no anonymity, or redirecting through proxy, your identity can easily be traced and you can be prosecuted for carrying out a DoS attack. Identifying and blocking DoS attacks carried out through LOIC is easy because all requests come through one template. That's probably why the hack group Anonymous crashed HOIC, a supposed improvement from LOIC. 


What is LOIC?

The Low Orbit Ion Cannon (LOIC) used to be a network stress testing application but now used for DoS and DDoS attacks. 

The Low Orbit Ion Cannon (LOIC) used to be a private stress testing software developed by Praetox Technology. Over time, it became open-source. straightforward

Since it became accessible to the public, people have hijacked them to launch DoS and DDoS attacks and are mostly used for malicious purposes. 

Despite its potential of causing harm, it is accessible and straightforward to use; this means you don't need technical knowledge to launch a DoS and DDoS attack. 

The Low Orbit Ion Cannon is responsible for many attacks, including attacks from members of hacktivist group Anonymous, also among users of the 4Chan forums.; this.

There is a rise in the tool probably because it is easy to use, and easy to access. You can download the tool from the internet without restriction, its interface is easy to navigate, so you can launch an attack within minutes. 

LOIC originally was a Windows software written in C#. It initially became available on Sourceforge, an open-source program. Over time, it became available to other operating systems like Linux, OS X, Android, iOS. 

You can access the tool from a web browser using its JS LOIC version and a web version known as the Low Orbit Web Cannon.

Low Orbit Web Cannon has been in the news for a lot of negative reasons, some of the high profile attacks associated with DDoS includes:

Project Chanology – In 2008, the Church of Scientology issued a complaint about a copyright violation for some of its videos that were put up on YouTube. In response to the complaint, an attack was launched. 

Operation Payback –This was a malicious attack that took place in 2010, it was a viral campaign that targeted organizations that opposed Wikileaks, Visa, MasterCard, PayPal, Sony, and PlayStation networks were all targets.

Operation Megaupload: In 2012, after the shutdown of Megaupload, there was an attack against all parties involved in the shutdown. It targeted organizations like; Universal Music Group, the US Department of Justice, and more. 

To get a better grasp of LOIS, you must first understand what DOS and DDoS are all about. 

Low Orbit Ion Cannon screen

Denial Of Service

Denial-Of-Service or DOS is like the first step of every newbie hacker, it is a prevalent hack methodology used worldwide to hack networks and bring down their target services. 

What it does is block the server making it incapable of accepting requests from valid visitors. 

There are DOS and DDoS, they mean the same thing, the only difference is;

Once an attack is carried out on a vulnerable server using a single IP, the attacker sends multiple overwhelming requests to the target when the target tries to reply to each of the packet requests, there's going to be a jam because the request flow will overwhelm bandwidth (because it has exceeded the accepting capacity). There will no longer be room for new connections, this inevitably leads to denial of service for new connections. 

You can prevent this with the help of modern firewalls. All you need to do is attach a patch script to them. With this, you can customize the number of connections an IP or IP range can provide.

On the other hand, Distributed DOS Attack or DDOS is carried out through Botnets. 

Botnets are generated by sending out bait links or attachments, once they fall for the trap, the hacker will access the internet, webcams, or smart devices.

Once the hacker gains Botnets, he probably has pre-instructed it to carry out a DOS attack by causing the devices gained through Botnets to carry out a DOS attack on its target. 

Once the attack is launched, the target gets overwhelmed by request’s from multiple IP’s over the internet this leads to breakdown of its server. 

The difference between DDoS and DOS is that DDoS uses multiple IPs. Since there are multiple IP's, you'll have a huge task of blocking the many IP's. That's not the worst, distinguishing legitimate users' data packets is where the job is. 


How LOIC works

The entire process is simple, it's just about jamming the target server with TCP, UDP, or HTTP packets, this will disrupt the service server. This requires a collective effort of people with the same intent. 

Using LOIC is surprisingly easy, it can be accessed either through a specific IP address using either TCP or UDP packets or the HTTP requests to a specific port. 

One person can not single-handedly launch an attack, so he will need to collaborate with a number of other users. The idea is to use LOIC to target a server and with their numbers, they will slow or interrupt the server with the unusual high network traffic.

Just like I stated already, The Low Orbit Ion Cannon needs little or no technical knowledge to operate, once you are familiar with basic technologies like mobile phones or even pc, using the Low Orbit Ion Cannon will be easy. If you want to launch an organized DDoS attack, you can use the application in hivemind mode. 

The hivemind mode allows you to only connect to the Internet Relay Chat channel. This mood also allows one person to gain total control of LOIC instances on many user computers so the attack is performed by a voluntary botnet.

Although easy to use, the LOIC has its downside, every person that initiated the attack can easily hide identity or redirected through proxies. Hence if you participate in a DDoS attack using LOIC, you can easily be tracked and persecuted. 

Defending a DDoS launched through LOIC can easily be blocked since requests follow one channel. However, there's a more technical version known as the High Orbit Ion Cannon (HOIC). 


Type of attacks

DOS through LOIC allows you to open multiple connections to target the server by sending continuous strings of messages recognizable by the TCP/UDP message parameter option on the software. 

During a typical TCP and UDP attack, you'll send the string as regular text, for an HTTP attack, it comes as HTTP GET message.

 UDP Attack 

  • Before you start the attack, you'll first select UDP as an HTTP method of attack.
  • You'll see Port 80 is a pre-selected option, you can change this to fit your need. 
  • It also has a connectionless protocol.

Here's the code that represents the Snort rule:

alert udp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SLR - LOIC DoS Tool (UDP Mode) - Behavior Rule (tracking/threshold)"; 

TCP Attack: 

  • This method is no different from the UDP attack, they basically use the same procedure. However, unlike UDP, this is a connection-based protocol.
  • To use this method chose TCP as your attack type. 

HTTP Attack: 

  • This attack is a little different, the tool is designed to tool sends HTTP requests to the server you are targeting. 
  • If your attacker has a web application firewall, it will easily detect the HTTP Attack

Here's the code that represents the HTTP Attack:

ert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SLR - LOIC DoS Tool (HTTP Mode)"; flow: established,to_server; content:"|47 45 54 200d 0a|"; threshold: type threshold, track by_src, count 10 , seconds 10; reference: url, www.simpleweb.org/reports/loic-report.pdf ; classtype:misc-activity; sid:1234569; rev:1; )

# snort -c snort-test.conf -A console -q -r /LABS2/LOIC/PCAP/LOIC-http.pcap -O
01/27-11:57:52.977537 [**] [1:1234569:1] SLR - LOIC DoS Tool (HTTP Mode) [**] [Classification: Misc activity] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:55178 -> xxx.xxx.xxx.xxx:8001/27-11:57:54.184679 [**] [1:1234569:1] SLR - LOIC DoS Tool (HTTP Mode) [**] [Classification: Misc activity] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:55188 -> xxx.xxx.xxx.xxx:8001/27-11:57:55.111591 [**] [1:1234569:1] SLR - LOIC DoS Tool (HTTP Mode) [**] [Classification: Misc activity] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:55198 -> xxx.xxx.xxx.xxx:80

How LOIC works - Steps by steps

Downloading:

LOIC can be gotten faster than ordering a pizza. All you need to do is search LOIC on Google and you are good to go. It is better if you are using Linus Distributions (Kali Linux). 

Once you have the software downloaded, run it. The first requirement is for you to provide the IP or URL of your target in a section called Target Section 1, you'll see it in the selected target box.

After you are done, choose an attack method then monitor your attack status. 

Go into the slider then set the speed of the attack, by default its speed is meant to be fast, but you can slow down the pace. Here are some fields and their meaning. 

IDLE: This helps you monitor threads that are idle. If it stays at zero, the attack would be more effective. 

Connecting: This is how you know the number of connections that attempt to connect to the targeted server. 

Requesting: Here is where you can see the number of connections that are demanding information from the target’s server. 

Downloading: This displays all connections trying to initiate the download for information on the server. 

Downloaded: This displays number of times data initiated from the victim’s server is being downloaded. 

Requested: This stat shows how many times a data download has been requested from the victim server.

This shows the number of times a data request is made for data downloaded from the victim’s server. 

Failed: This gives you a state for the number of times the server fails to respond to requests. If you notice a huge number of fails, then it means the server is about to go down or is already down. The success of a DOS attack is measured by the higher n of failed. 


How to defend against LOIC attacks

Now that we understand how LOIC works, let's have a look at how to prevent it. 

The best way to prevent a LOIC attack is through your internet service provider. If you are using a large internet provider, there's a good chance that it already has a DDoS mitigation mechanism. Just check for a cloud storage provider that already has a high bandwidth than LOIC, with this, LOIC attacks will not be able to cause harm. 

However, if you are hosting your personal web server, you will have to defend against LOIC by yourself. Hence, you will need intrusion detection and prevention systems such as Snort. If you dictate a LOIC attack, all you need to do is to filter out all the packets from specific IPs. 

Another method is to configure your firewall to restrict the number of requests per minute. With the restriction, you will be able to filter out attack traffic without affecting your legitimate users. 

Here's another way to look at it

If it is a small LOIC HTTP attack, it can be protected by your local firewall; your service providers will look at the log and identify your attacker's IP, push out them out, and reject their requests. This is easy to do because your service provider does the job. However, if there is a large-scale attack, this method won't help much. 

If there are TCP or UDP floods, your local firewalls are incapable of handling them. UDP is so dangerous that it can disrupt a firewall. 

So what's the way out? 

A Web Application Firewall (WAF) is stronger and can help protect against HTTP floods

Overall it is easy to detect attackers that use the LOIC. Their IP can be seen and since countries like U.S., U.K., Spain, and Turkey have laws to prosecute hackers, there is a reduction in the number of people using the platform. 

  1. Ensure your router and firewalls are configured to prevent access from invalid IP addresses and remove suspicious protocols. This is very important, you may be lucky as some firewalls and routers come with features that prevent TCP/UDP floods. Access to your server should require a login, this way you can examine requests and identify suspicious IP addresses. It is your responsibility to turn over those suspicious IPs to law enforcement to prevent them from carrying out future attacks. 
  1. Next step should be to use an intrusion-detection/prevention system (IDS/IPS), this system can help you detect suspicious or supposed valid protocols attempting to launch an attack. If you are using a compatible product and network, IDS can help you block the attack traffic. 
  1. Reach out to your provider for help. Your providers can detect and block attack traffic before it even reaches your bandwidth. 
  1. You should be ready for an attack alway, have an incident response plan set up and activate it as soon as you suspect attack. 
  1. Have a good channel of communication with your users or visitors. It could either be through mail or social media. If there is an attack, contact them immediately. 

If the attacking threat is on small scale, you can manually detect and blocked through just with the help of your network traffic monitors and firewalls. However, some attacks are more severe and better coordinated, in such cases, you can only prevent them with the help of a dedicated security solution.

One good dedicated security solution is Imperva Website Protection. It is equipped to analyze incoming HTTP/S traffic, it also helps stop other attempts from LOIC TCP and HTTP floods.

Imperva DDoS protection another software you should try is equipped to protect against UDP attacks. This software utilizes Anycast technology to identify and block suspicious attacks in deep packet inspection.


Learning Objectives
It’s demo time