The Low Orbit ion Cannon (LOIC) and Group Effort DDoS Attacks

You might hear the words low orbit ion cannon and automatically think knock it off, North Korea, but as much as said cannon sounds like a weapon that would potentially be terrorizing a portion of the earth, it’s actually a weapon terrorizing a portion of the internet thanks to the massive amount of junk requests it’s capable of generating. All it takes is this open source ‘cannon’ and an agreed-upon target and you’ve got yourself an easy recipe for a DDoS attack.

The road to you-know-where

The low orbit ion cannon or LOIC is an open-source and easily accessible application. Similar to so many technologies that have gone on to be instruments of mayhem, the LOIC started out as a well-intentioned application, one designed to allow web developers to stress test their servers against heavy network traffic for diagnostic and performance-related purposes.

The LOIC is still widely used in this manner, flooding a target with junk UDP, TCP and HTTP GET requests in order to see how the system handles the influx. When operated by a single user the cannon can’t generate enough requests to do any real damage so it’s low to no risk and high-reward for developers. It’s when it isn’t operated by a single user that is the problem.

Crowd-sourced chaos

For the LOIC to generate enough requests to cause a distributed denial of service (DDoS) attack and take the target offline it would take thousands of users simultaneously directing those requests at one target. Of course, the answer to where would you find thousands of people willing to launch a DDoS attack with you is, naturally, the internet.

With social media, discussion forums and other online gathering places it’s become easy for a person or group to recruit others willing to take part in their misdeeds, and the low orbit ion cannon makes it even easier for anyone to form a voluntary DDoS botnet on the fly. All a user has to do is paste in the URL of the target and select which type of flood they’d like to aim at it – UDP, TCP or HTTP. That’s it. Malicious traffic launched.

The LOIC has been famously used by hacktivist groups 4chan and Anonymous. Both groups have used it to attack the Church of Scientology, and Anonymous has also used it to target organizations that opposed WikiLeaks including MasterCard, PayPal, Sony and Visa, as well as organizations involved in the shuttering of file sharing service Megaupload, including Warner Brothers Music and the United States Department of Justice.

Gaining steam

Across the United States and around the world people are becoming increasingly politically motivated and looking for ways to join movements and demonstrate. Not everyone is in the position to march on Washington, or hold up a sign at a rally, but most people do have at least one device connected to the internet, and with DDoS attacks now ranking as a form of protest, easy to use DDoS tools like the LOIC are only going to become more popular.

This mirrors an internet-wide trend of DDoS attacks becoming more prevalent. Whether these attacks are being used as an instrument of protest, an instrument or revenge, of competitive advantage, of easy money-making from DDoS ransom notes, and even as an instrument of plain old “fun,” they’re flying all over the internet at a frequency that’s never been seen before. This puts almost every website on the internet at risk, as well as almost every business with an online presence.

Raising the drawbridge

There are two basic routes you can take for protecting against these attacks. The first is using basic firewalls and network traffic monitors to detect and block junk requests from the LOIC and similar DDoS tools. This only works in the case of small-scale attacks, however.

For attacks that come from a coordinated group ganging up on a target, a dedicated security solution is necessary. For TCP and HTTP floods this solution may come in the form of a web application firewall that has a client classification engine capable of analyzing incoming traffic to identify malicious requests.

For UDP floods a DDoS mitigation service is required, using deep packet inspection to identify illegitimate requests and sending those requests to scrubbing servers, keeping them from ever reaching the target server. With the number of attacks coming from DDoS tools, for-hire services and botnets of all kind, professional DDoS protection might just be the best bet, regardless of if the group effort LOIC is a concern or not. Now if only the threat of nuclear weapons could be so easily handled.