Are Decade-Old DoS Tools Still Relevant in 2021?

This post is also available in: French German Italian Portuguese (Brazil) Spanish Russian

Surprisingly, the answer is yes. After Anonymous fell apart in 2016, the threat landscape shifted rapidly. The once mainstream group of organized Denial of Service (DoS) attacks with simple GUI-based tools were no more; as the era of Distributed Denial of Service (DDoS) attacks and DDoS-as-a-Service began to take shape under the power of new IoT botnets such as Bashlite and Mirai.

While Anonymous has not entirely disappeared, its digital footprint has significantly reduced over the last five years. Today, you can still find Anonymous accounts on the usual social media outlets and video platforms spreading operational propaganda, but with limited impact compared to the past.  However, during a recent Anonymous operation, I was surprised to find that the group, which still uses PasteBin and GhostBin (to centralize operational details), had updated their target list from years prior and suggested the use of Memcached and other reflective attack vectors. They recommended using antiquated DoS tools, such as LOIC, HOIC, ByteDoS, and Pyloris, all nearly 10-years-old.

Tools of The Past


High Orbit Ion Cannon, or HOIC for short, is a network stress testing tool related to LOIC; both are used to launch Denial of Service attacks popularized by Anonymous. This tool can cause a Denial of Service through the use of HTTP floods. Additionally, HOIC has a built-in scripting system that accepts .hoic files called boosters. These files allow a user to deploy randomization countermeasures and increase the magnitude of the attack.

While it has no significant obfuscation or anonymization techniques to protect the user’s origin, the use of .hoic “booster” scripts allows the user to specify a list of rotating target URLs, referrers, user agents, and headers. This effectively causes a Denial of Service condition by attacking multiple pages on the same site while making it seem like attacks are coming from several different users.

Figure 1: HOIC

[Click for Full Report: Quarterly Threat Intelligence Report]


Once considered a destructive tool, ByteDoS has become a novelty in 2021. ByteDos is a Windows desktop DoS application. It is a simple, standalone executable file that does not require installation and comes equipped with embedded IP resolver capabilities that allow this attack tool to resolve IPs from domain names. It also supports two attack vectors: SYN Flood and ICMP Flood, allowing the user to choose his preferred attack vector. ByteDos also supports attacks behind proxies, enabling the attackers to hide their source and identity. The tool is quite common among hacktivists and Anonymous supporters (it becomes very effective when used collectively by many attackers in a coordinated Denial of Service attack).

Figure 2: ByteDOS


Another one that was once considered a destructive tool is Pyloris. Pyloris is a low and slow HTTP DoS tool. Pyloris enables the attacker to craft HTTP requests with custom packet headers, cookies, packet sizes, timeouts, and line-ending (CRLF) options. Pyloris’ objective is to keep TCP connections open for as long as possible between the attacker and the victim’s servers in an attempt to exhaust the server’s connection table resources. Once exhausted, the server will not handle new connections from legitimate users, resulting in a denial-of-service state.

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content. ]

Figure 3: PyLoris

[Check out the latest edition of Hacker’s Almanac Series 1:The Threat Actors]

How effective are the old tools

The tools suggested for this Anonymous operation, and many others are old and outdated, yet oddly enough, they still have a place in the threat landscape. In a world of easy-to-build IoT botnets and cheap attack services, it is odd to see some suggest using tools that are nearly a decade old. And while the use of these tools is not prominent, they can still be effective when correctly leveraged against unsuspecting and unprotected websites. Below is a chart showing events over the last year related to LOIC, HOIC, HULK, and SlowLoris attacks.

Figure 4: HOIC, LOIC, HULK, Slowloris DoS events
Figure 4: HOIC, LOIC, HULK, Slowloris DoS events (source: Radware)

As you can see, these tools are still relevant in 2020/21 but not as popular or effective as they used to be due to the evolution of the threat landscape and advancements in mitigation technology. While Anonymous is no longer the threat they used to be, there is always an inherited risk of a lone wolf or group of amateur threat actors popping up with these tools and presenting a certain level of risk for the unprotected.

Download Series 1 of Radware’s Hacker’s Almanac 2021.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center