Just as the network security and hacking world is continually evolving, so too are the DDoS attack tools used to carry out distributed denial of service (DDoS) attacks. For example, DDoS tools such as Trinoo and Stacheldraht were widely used at the turn of the century, but these DDoS tools ran only on the Linux and Solaris operating systems. Specialized DDoS attack tools have since evolved to target multiple platforms, rendering DDoS attacks more dangerous for targets and much easier for hackers to carry out.
Some of the newer DDoS tools such as Low Orbit Ion Cannon (LOIC) were originally developed as network stress testing tools but were later modified and used for malicious purposes. Other DDoS attack tools such as Slowloris were developed by “gray hat” hackers whose aim is to direct attention to a particular software weakness. By releasing such DDoS tools publicly, gray hat hackers force software developers to patch vulnerable software in order to avoid large-scale attacks.
Here are seven of the most common - and most threatening - specialized DDoS attack tools.
“Hacktivist” group Anonymous’ initial tool of choice, Low Orbit Ion Cannon (LOIC) is a simple flooding tool that can generate massive volumes of TCP, UDP, or HTTP traffic to subject a server to a heavy network load. LOIC’s original developers, Praetox Technologies, intended the tool to be used by developers who wanted to subject their own servers to heavy network traffic loads for testing purposes. However, Anonymous used the open-source tool to launch coordinated DDoS attacks. LOIC was later given its “Hivemind” feature, allowing any LOIC user to point a copy of LOIC at an IRC server and transfer control of that server to a master user who can then send commands over IRC to every connected LOIC client simultaneously. This configuration enabled much more effective DDoS attacks. However, LOIC doesn’t obscure its users’ IP addresses, and this lack of anonymity led to the 2011 arrest of LOIC attackers around the world. Afterward, Anonymous broadcast a clear message across IRC channels: “Do NOT use LOIC.”
High Orbit Ion Cannon (HOIC) quickly took the spotlight when it was used to target the U.S. Department of Justice in response to its decision to take down Megaupload.com. At its core, HOIC is a simple cross-platform basic script for sending HTTP POST and GET requests wrapped in an easy-to-use GUI. However, its effectiveness stems from add-on “booster” scripts—text files that contain additional basic code interpreted by the main application upon DDoS attack launch. Booster scripts also allow users to specify lists of target URLs and identifying information when generating attack traffic, making HOIC attacks anonymous and harder to block. HOIC continues to be one of the DDoS attack tools used by Anonymous to launch DDoS attacks worldwide.
The DDoS attack tool hping is a fairly basic command line utility similar to the ping utility. However, it offers more functionality than simply sending an ICMP echo request. In fact, hping can be used to send large volumes of TCP traffic to a target while spoofing the source IP addresses, making it appear to be random or even to originate from a specific, user-defined source. This powerful, robust tool is among Anonymous’ current DDoS attack tools of choice.
Many of the more intricate low and slow DDoS attack types rely on easy-to-use tools, yielding denial of service attacks that are much harder to detect. Developed by a gray hat hacker who goes by the handle “RSnake,” Slowloris creates a DoS condition for a server by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slowly as possible, the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this way, the server becomes unable to handle legitimate requests.
R U Dead Yet? (R.U.D.Y.)
Another slow-rate DDoS attack tool, R U Dead Yet? (R.U.D.Y.) achieves denial of service by using long-form field HTTP POST submissions rather than HTTP headers, as Slowloris does. By injecting one byte of information into an application POST field at a time, a R.U.D.Y. attack causes application threads to await the end of never-ending posts in order to perform processing. Since R.U.D.Y. causes the target web server to hang while waiting for the rest of an HTTP POST request, a user can create many simultaneous connections to the server, ultimately exhausting the server’s connection table and causing a denial of service condition.
While all of the aforementioned DDoS tools are non-vulnerability-based, #RefRef, another tool in Anonymous’ arsenal, is based on vulnerabilities in SQL database software that allow for injection attacks. Using an SQL injection, #RefRef forces a target server to use a special SQL function that repeatedly executes SQL expressions. Nonstop execution of a few lines of code consumes the target servers’ resources, resulting in denial of service for a target server.
Unlike LOIC or HOIC, #RefRef does not require a large number of machines to take down a server due to the nature of its attack vector. If the server’s backend uses SQL and is vulnerable, only a few machines are needed to cause significant outage. While developing the tool, Anonymous ran #RefRef on a single machine and caused outages on various sites for minutes at a time. For example, a 17-second attack on Pastebin took the site offline for 42 minutes.
Botnets as DDoS Attack Tools
Regardless of the DDoS attack tools used, the ability to launch an attack from hundreds, thousands, or millions of computers significantly amplifies the potential of that attack to cause denial of service, which is why botnets are common DDoS attack tools used. Botnets are large collections of compromised computers, often referred to as “zombies,” that are infected with malware that allows an attacker to control them. Botnet owners, or “herders,” can control the machines in the botnet using a covert channel, such as IRC, issuing commands to perform malicious activities such as DDoS attacks, distribution of spam mail, and information theft.
Many botnet owners have attempted to scale down networks to avoid detection. However, some larger, more advanced botnets—BredoLab, Conficker, TDL-4, and Zeus, for example—have been estimated to contain millions of machines. Large botnets can often be rented for as little as $100 per day. (One online forum ad offered the use of a botnet with 80,000 to 120,000 infected hosts for $200 per day.)
Mitigating DDoS Attack Threats
The widespread accessibility of these DDoS attack tools enables anyone with moderate technical knowledge to launch a devastating attack. As such, it is important to be aware of all recent DDoS attack tools, maintain up-to-date software on all servers and other network devices, and use a DDoS mitigation service and DDoS protection solution against attacks as they continue to evolve.