What Is the Low Orbit Ion Cannon (LOIC)?

Netsparker Security Team - Wed, 24 Jul 2019 -

The Low Orbit Ion Cannon (LOIC) is a network stress testing application for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks that has been used by hacktivists. This article describes how the LOIC works, its limitations, and why it is popular. Finally, it offers advice on how to defend against LOIC attacks.

Your Information will be kept private.

What Is the Low Orbit Ion Cannon (LOIC)?

The Low Orbit Ion Cannon (LOIC) is a network stress testing application created by Praetox Technologies. It is used as an attack tool in DoS/DDoS attacks. LOIC is a Windows application that was written in C# and it is currently available as an open-source project on Sourceforge and other platforms. It was ported to many operating systems: Linux, OS X, Android, iOS. There is also a JavaScript version (JS LOIC) and a web version (Low Orbit Web Cannon).

What Is the Low Orbit Ion Cannon (LOIC)?

Hacktivists from the 4chan Anonymous group used LOIC in the following attacks:

  • Project Chanology: An attack on the Church of Scientology (2008)
  • Operation Payback: An attack on the Recording Industry Association of America (RIAA), Visa, MasterCard, PayPal, and other organizations that opposed WikiLeaks (2010)
  • Operation Megaupload: An attack on Universal Music Group, the US Department of Justice, and more organizations that were involved in the shutdown of Megaupload (2012)

How Does LOIC Work?

LOIC is very simple: it floods a specific IP address with TCP or UDP packets or HTTP requests to a specific port. A single user with LOIC usually cannot cause a denial of service. However, a large number of users with LOIC cause the target server to slow down with the processing of legitimate requests because of the unusually high network traffic.

The Low Orbit Ion Cannon is very popular because it can be used by someone with minimum technical knowledge. For organized DDoS attacks, the application can be used in hivemind mode. In this mode, the user only connects to an IRC (Internet Relay Chat) channel. Commands with target systems and attack details are sent by the attack organizer to this channel. In this mode, one person has full control of LOIC instances on many user computers so the attack is performed with the use of a voluntary botnet.

The usability of LOIC is limited. Its activities cannot be anonymized or redirected through proxies. Therefore, everyone who participates in DDoS attacks using this tool can be easily identified and prosecuted. It is also very easy to block because all requests follow the same template. A more advanced version of LOIC also exists – the High Orbit Ion Cannon (HOIC) and it addresses some of these limitations.

How to Defend Against LOIC?

It is best to defend against LOIC attacks at the level of the internet service provider. Many large providers already have DDoS mitigation mechanisms. Major cloud storage providers have such high bandwidth that LOIC attacks have very little effect.

If you host your own web server, you may defend against LOIC and similar attacks with the use of intrusion detection and prevention systems such as Snort. Once you spot a LOIC attack, you can also simply filter out all packets from specific IPs. To protect yourself, you may also configure your firewall to limit the number of requests per minute. This will filter out attack traffic and will have no effect on legitimate users.

Your Information will be kept private.