Low Orbit Ion Cannon (LOIC)
What is Low Orbit Ion Cannon (LOIC)
DDoS perpetrators use LOIC to flood target systems with junk TCP, UDP and HTTP GET requests. However, a single LOIC user is unable to generate enough requests to significantly impact a target. For an attack to succeed, thousands of users must coordinate and simultaneously direct traffic to the same network.
LOIC has been used in a number of high profile DDoS attacks, including:
- Project Chanology – Launched in 2008, this campaign targeted the Church of Scientology for issuing a copyright violation against YouTube in an effort to have one of its videos removed.
- Operation Payback – This widespread 2010 campaign targeted anti-piracy organizations, Visa, MasterCard, PayPal, Sony and the PlayStation network.
The LOIC version used in the above attacks contained a so-called HIVEMIND mode. It used internet relay chat servers to hijack junk traffic generated by users, thereby enabling individual perpetrators to create a botnet and stage attacks without prior coordination.
To use LOIC, a perpetrator simply launches the application, enters a target URL or IP and then designates whether to launch a TCP, UDP or HTTP flood. The TCP and UDP modes send message strings and packets to select ports on the target, while the HTTP flood mode sends an endless volley of GET requests.
Once launched, LOIC opens multiple connection requests for a target server. It then sends a continuous series of messages until the server becomes overloaded and can’t respond to legitimate requests.The LOIC application interface.
LOIC's widespread availability means perpetrators are easily able to recruit fellow users to stage a coordinated assault. Additionally, its ease of use lets anyone, regardless of knowledge or experience, to execute potentially severe DDoS attacks.
That being said, LOIC users are unable to route attack traffic through proxies. As a result their IP addresses are completely visible to a target, making them easy to trace.
Methods of Mitigation
Small-scale LOIC attacks can be detected and blocked through basic network traffic monitors and firewalls. However, such defenses can be overpowered by a coordinated attack that can only be mitigated by a dedicated security solution.
Imperva Incapsula Website Protection uses a unique client classification engine that analyzes incoming HTTP/S traffic. Among other attack vectors, the WAF also transparently identifies malicious traffic originating from LOIC TCP and HTTP floods.
Incapsula DDoS protection, on the other hand, is suitable for mitigating UDP assaults. This solution uses Anycast technology to balance an attack load across a global network of scrubbing servers, which identify and filter malicious packets through deep packet inspection. This weeds out illegitimate packets on edge, making certain that only clean traffic reaches the server.