The Low Orbit Ion Cannon (LOIC) is an open-source network stress testing application, often used by malicious actors and activists for denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. The tool was developed in 2010 by Praetox Technologies and then released into the public domain. It works by flooding the target with TCP/UDP packets that target the network layer or HTTP GET requests that target the application layer. A more advanced version of the tool also exists called the High Orbit Ion Cannon (HOIC).
There are two versions of the tool: the first is the binary version, which is the original LOIC tool. The other is the web-based, JavaScript LOIC. The tool was later released into the public domain and is currently available on several open-source platforms.
A LOIC is widely used for network stress testing, as well as DoS attacks and DDoS attacks. It is known for being a very user-friendly and accessible tool, and it gained notoriety for its use by members of certain hacktivist groups. The LOIC performs a DoS or DDoS attack on a target site by flooding the server with TCP, UDP or HTTP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.
These DDoS attacks are malicious attempts to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. In a DDoS attack, the incoming traffic flooding the victim originates from many different sources. More sophisticated strategies are required to mitigate this type of attack, as simply attempting to block a single source is insufficient because there are multiple sources.
A LOIC works by flooding a target server with TCP, UDP, or HTTP packets with the goal of disrupting service. One attacker using the LOIC can’t generate enough junk traffic to make a serious impact on a target, hence serious attacks require thousands of users to coordinate a simultaneous attack on the same target. To make coordinated attacks easier, users can use IRC chat channels to run a “hivemind” version of the LOIC. This lets one primary user control several networked secondary computers, creating a voluntary botnet. This is a popular approach because owners of the secondary devices can claim they were innocent victims of an involuntary botnet.
The LOIC gained notoriety for its use by members of the hacktivist group Anonymous as well as users of the 4Chan forums. LOIC was used by Anonymous during Project Chanology to attack websites for the Church of Scientology and the Recording Industry Association of America. It was also used by Anonymous during their Operation Payback in December 2010 to attack the websites of companies and organizations that opposed WikiLeaks. These attacks can have a significant impact on the targeted organizations, disrupting their services and causing financial losses. To mitigate or prevent LOIC attacks, security experts have suggested that well-written firewall rules can filter out most traffic from DDoS attacks by LOIC, thus preventing the attacks from being fully effective. In at least one instance, filtering out all UDP and ICMP traffic blocked a LOIC attack.
A LOIC is a relatively simple tool that sends multiple requests to flood a targeted IP with TCP or UDP packets or HTTP requests. Small LOIC HTTP attacks can be mitigated with a local firewall by having a server administrator look at the logs and identify the IPs of the attackers and then dropping their requests. It is best to defend against LOIC attacks at the level of the internet service provider (ISP). Many large providers already have DDoS mitigation mechanisms. Major cloud storage providers have such high bandwidth that LOIC attacks have very little effect. If you host your own web server, you can defend against LOIC and similar attacks with the use of intrusion detection and prevention systems such as Snort open-source detection software. Maintaining a strong security posture is important to defend against LOIC attacks as well as other types of cyber threats.
In addition to the original binary version of the LOIC tool, there are also online and mobile versions available. The online version is known as JavaScript LOIC or web-based LOIC, while the mobile version is known as Mobile LOIC. These versions are delivered within an HTML page and are Javascript-based HTTP DoS tools that have very few options and are limited to conducting HTTP floods. Unlike its PC counterpart, Mobile LOIC does not support more complex options, like randomization of URLs and remote control by IRC botnets (e.g., "the Hive"). However, it is flexible because it can run on various browsers and be accessed remotely. Since only a web browser is required, an attacker can use a smartphone to generate an attack.
The accessibility and increased usage of mobile devices may contribute to the prevalence of LOIC attacks because it is now possible to launch attacks from a web browser using a JavaScript version called JS LOIC and a web version known as the Low Orbit Web Cannon. This tool puts the ability to launch DDoS attacks in the hands of users with very little technical knowledge. It is widely available for download and has a simple point-and-click interface. This means that there is a need for increased vigilance and stronger cybersecurity measures for mobile devices and online platforms against LOIC attacks. Small LOIC HTTP attacks can be mitigated with a local firewall by having a server administrator look at the logs, identify the IPs of the attackers and drop their requests. However, this strategy won’t stand up to a large-scale attack where hundreds or even thousands of different attackers are working in tandem. Local firewalls also can’t protect against TCP or UDP floods, the latter of which can even target and disrupt a firewall. A web application firewall (WAF) can provide strong protection against HTTP floods, and dedicated DDoS protection can stop TCP and UDP attacks.
It is important for businesses and organizations to understand the LOIC tool and the potential threat it poses. It is a widely available, open-source application used for network stress testing, as well as DoS and DDoS attacks. It is known for being a very user-friendly and accessible tool, and it gained notoriety for its use by members of the hacktivist group Anonymous as well as users of the 4Chan forums. These attacks can have a significant impact on the targeted organizations, disrupting their services and causing financial losses. To mitigate or prevent LOIC attacks, security experts have suggested that well-written firewall rules can filter out most traffic from DDoS attacks by LOIC, thus preventing the attacks from being fully effective. In at least one instance, filtering out all UDP and ICMP traffic blocked a LOIC attack. It is important for businesses and organizations to take proactive measures to protect themselves against potential LOIC attacks and to maintain a strong security posture to defend against other types of cyberthreats.