Tuesday, March 8, 2011

Low Orbit Ion Cannon (LOIC) Analysis

The Primordial Weapon of Cyberwar

The LOIC is a readily available, open-source application used in DDoS attacks; most notably used in the 'Anonymous' attacks against Visa, MasterCard and WordPress. Read more about LOIC attacks here.
"It's true that most of the operations performed under the Anonymous branding have been relatively unsophisticated, albeit effective: the attacks made on MasterCard and others were distributed denial-of-service attacks using a modified version of the Low Orbit Ion Cannon (LOIC) load-testing tool. The modified LOIC enables the creation of large botnets that each user opts into: the software can be configured to take its instructions from connections to Internet relay chat (IRC) chat servers, allowing attack organizers to remotely control hundreds of slave machines and hence control large-scale attacks that can readily knock websites offline."

Once a willing participant hands control over to the IRC channel, LOIC blasts away at a web server, using a loop of HTTP GET requests, TCP connections, and or UDP connections. One person using this application is not enough to bring down a web server, as the server should handle these requests; its when thousands of people use the tool to overwhelm the server that the DoS actually occurs. 

See the links section at the end of this post if you want to read more about the attacks and the 'group' labeled Anonymous.

A screen shot of the original LOIC v. written by Praetox - Note, this early version does not have the remote IRC control feature.

v. - The remote control over IRC feature allows individuals to participate and use their home bandwidth in an attack with no prior 'hacking' knowledge.

The Source

There are two different LOIC's that are popularly downloaded. There are many variants in the wild but all are based on the original code in C#. LOIC has been ported to other languages including Java and JavaScript.

LOIC v.1.0.4
Developed by abatishchev - http://sourceforge.net/projects/loic/

LOIC v.1.1.3
Developed by NewEraCracker - https://github.com/NewEraCracker/LOIC/

Each version has two main modules that do most of the 'work' in the aplication.


As the names imply, these are the two different methods LOIC uses to flood the web server with traffic.

Looking at the source, we can actually see what is happening and the difference between the two popular versions.  

LOIC v.1.0.4 (SourceForge.com)

byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0} HTTP/1.0{1}{1}{1}", Subsite, Environment.NewLine));
socket.Send(buf, SocketFlags.None);
These lines, neatly wrapped in a While loop, create a variable called buf and send that variable through a socket.

The buf variable is simply the text sent to a web server to make a legitimate request for a document on that server. When placed in the loop this seemingly innocent request starts to get not-so-innocent. One person using this is a load-testing tool but a few hundred people can cause some damage if they all point at one server.

byte[] buf = System.Text.Encoding.ASCII.GetBytes(Data);

socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); 
while (IsFlooding)


socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);

while (IsFlooding)

socket.SendTo(buf, SocketFlags.None, RHost);

The first flooding method besides HTTP requests, is the TCP connection, sending random message/data through a TCP connection, again not-so-innocently placed inside a while loop. The other flooding option is creating a UDP connection. The screen shots show a text input field where a user can specify the text they wish to send through the socket. 

LOIC v.1.1.3 (GitHub.com)

byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0}{1} HTTP/1.1{4}Accept: */*{4}User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0){4}{3}Host: {2}{4}{4}{4}", Subsite, ( AllowRandom ? new Functions().RandomString() : null ), Host, (AllowGzip ? "Accept-Encoding: gzip, deflate"+Environment.NewLine : null), Environment.NewLine));

IPEndPoint RHost = new IPEndPoint(System.Net.IPAddress.Parse(IP), Port);

The updated version performs the same HTTP GET request but this time is spoofs browser headers (Mozilla/4.0(Compatible; MSIE 7.0 Windows NT 6.0), sends a random string as part of the request, allows GZip compression, and as usual you need to end the request with a few Enter keystrokes (Environment.NewLine) just like when you telnet into a web server to make the request manually.

socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream,ProtocolType.Tcp);


socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);


while (IsFlooding)

buf = System.Text.Encoding.ASCII.GetBytes(String.Concat(Data, (AllowRandom ? new Functions().RandomString() : null) ));

socket.SendTo(buf, SocketFlags.None, RHost);
The XXPFlooder is practically the same, except this version concatenates the user input text message with a random string and sends that through either a TCP or UDP connection.

Defend your network from a LOIC attack

Proxies and Tor can't be used in this type of attack because the DoS traffic will overwhelm the proxy or Tor network. This attack exposes the client IP address, as if they were making thousands of legitimate requests. If you are attacked with a DDoS, log every connection attempt that you possibly can.

Defense against this type of DDoS attack include:

- Limit the number of requests per IP address per second.

- Use firewalls that support layer 7 HTTP inspection.

- Ingress Filtering


LOIC on GitHub - pageview traffic from Dec 2010 to present (Mar 2011) Yes, thats 35K page views in Dec 2010. Operation Avenge Assange was launched in Dec 2010, targeting PayPal, Visa, MasterCard and the Swedish Prosecution Authority. The traffic appears to have fallen off since then.

Have a look at download statistics for LOIC hosted on SourceForge. Top downloading country: the United States, top OS: Windows. Its staggering that this is an opt-in, point-and-click attack and the source seems to be concentrated in the United States.




- LOIC DDoS Analysis, Wireshark and Snort

- Operation Payback used LOIC

- DACS Paper on LOIC & Anonymous

- WordPress attacked by LOIC

- More about LOIC

Computer Biology

No comments:

Post a Comment