The LOIC is a readily available, open-source application used in DDoS attacks; most notably used in the 'Anonymous' attacks against Visa, MasterCard and WordPress. Read more about LOIC attacks here.
"It's true that most of the operations performed under the Anonymous branding have been relatively unsophisticated, albeit effective: the attacks made on MasterCard and others were distributed denial-of-service attacks using a modified version of the Low Orbit Ion Cannon (LOIC) load-testing tool. The modified LOIC enables the creation of large botnets that each user opts into: the software can be configured to take its instructions from connections to Internet relay chat (IRC) chat servers, allowing attack organizers to remotely control hundreds of slave machines and hence control large-scale attacks that can readily knock websites offline."
(Arstechnica.com)
Once a willing participant hands control over to the IRC channel, LOIC blasts away at a web server, using a loop of HTTP GET requests, TCP connections, and or UDP connections. One person using this application is not enough to bring down a web server, as the server should handle these requests; its when thousands of people use the tool to overwhelm the server that the DoS actually occurs.
See the links section at the end of this post if you want to read more about the attacks and the 'group' labeled Anonymous.
The Source
There are two different LOIC's that are popularly downloaded. There are many variants in the wild but all are based on the original code in C#. LOIC has been ported to other languages including Java and JavaScript.
LOIC v.1.0.4
Developed by abatishchev - http://sourceforge.net/projects/loic/
LOIC v.1.1.3
Developed by NewEraCracker - https://github.com/NewEraCracker/LOIC/
Each version has two main modules that do most of the 'work' in the aplication.
HTTPFlooder.cs
XXPFlooder.cs
As the names imply, these are the two different methods LOIC uses to flood the web server with traffic.
Looking at the source, we can actually see what is happening and the difference between the two popular versions.
LOIC v.1.0.4 (SourceForge.com)
HTTPFlooder.cs
[...]
byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0} HTTP/1.0{1}{1}{1}", Subsite, Environment.NewLine));
[...]
socket.Send(buf, SocketFlags.None);These lines, neatly wrapped in a While loop, create a variable called buf and send that variable through a socket.
The buf variable is simply the text sent to a web server to make a legitimate request for a document on that server. When placed in the loop this seemingly innocent request starts to get not-so-innocent. One person using this is a load-testing tool but a few hundred people can cause some damage if they all point at one server.
XXPFlooder.cs
byte[] buf = System.Text.Encoding.ASCII.GetBytes(Data);
[...]
socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
socket.Connect(RHost);
[...]
while (IsFlooding)
socket.Send(buf);
[...]
socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
while (IsFlooding)
socket.SendTo(buf, SocketFlags.None, RHost);
The first flooding method besides HTTP requests, is the TCP connection, sending random message/data through a TCP connection, again not-so-innocently placed inside a while loop. The other flooding option is creating a UDP connection. The screen shots show a text input field where a user can specify the text they wish to send through the socket.
LOIC v.1.1.3 (GitHub.com)
HTTPFlooder.cs
byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0}{1} HTTP/1.1{4}Accept: */*{4}User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0){4}{3}Host: {2}{4}{4}{4}", Subsite, ( AllowRandom ? new Functions().RandomString() : null ), Host, (AllowGzip ? "Accept-Encoding: gzip, deflate"+Environment.NewLine : null), Environment.NewLine));
IPEndPoint RHost = new IPEndPoint(System.Net.IPAddress.Parse(IP), Port);
The updated version performs the same HTTP GET request but this time is spoofs browser headers (Mozilla/4.0(Compatible; MSIE 7.0 Windows NT 6.0), sends a random string as part of the request, allows GZip compression, and as usual you need to end the request with a few Enter keystrokes (Environment.NewLine) just like when you telnet into a web server to make the request manually.
XXPFlooder.cs
socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream,ProtocolType.Tcp);The XXPFlooder is practically the same, except this version concatenates the user input text message with a random string and sends that through either a TCP or UDP connection.
or
socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
[...]
while (IsFlooding)
buf = System.Text.Encoding.ASCII.GetBytes(String.Concat(Data, (AllowRandom ? new Functions().RandomString() : null) ));
socket.SendTo(buf, SocketFlags.None, RHost);
Defend your network from a LOIC attack
Proxies and Tor can't be used in this type of attack because the DoS traffic will overwhelm the proxy or Tor network. This attack exposes the client IP address, as if they were making thousands of legitimate requests. If you are attacked with a DDoS, log every connection attempt that you possibly can.
Defense against this type of DDoS attack include:
- Limit the number of requests per IP address per second.
http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html
- Use firewalls that support layer 7 HTTP inspection.
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.5/vfw/configuration/guide/vfc35int.html
- Ingress Filtering
http://en.wikipedia.org/wiki/Ingress_filtering
Stats
LOIC on GitHub - pageview traffic from Dec 2010 to present (Mar 2011) Yes, thats 35K page views in Dec 2010. Operation Avenge Assange was launched in Dec 2010, targeting PayPal, Visa, MasterCard and the Swedish Prosecution Authority. The traffic appears to have fallen off since then.
Have a look at download statistics for LOIC hosted on SourceForge. Top downloading country: the United States, top OS: Windows. Its staggering that this is an opt-in, point-and-click attack and the source seems to be concentrated in the United States.
http://sourceforge.net/projects/loic/files/loic/stats/map
http://sourceforge.net/projects/loic/files/loic/stats/timeline
Links
- LOIC DDoS Analysis, Wireshark and Snort
http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html
- Operation Payback used LOIC
http://en.wikipedia.org/wiki/Operation_Payback#Tools_and_communication
- DACS Paper on LOIC & Anonymous
http://www.simpleweb.org/reports/loic-report.pdf
- WordPress attacked by LOIC
http://www.eweek.com/c/a/Security/WordPresscom-Hit-by-Extremely-Large-Denial-of-Service-Attack-618818/
- More about LOIC
http://www.p2pnet.net/story/49690
Computer Biology
No comments:
Post a Comment