Low Orbit Ion Canon (LOIC) is an open source network stress testing and Denial of Service (DoS) attack application that was initially developed by Praetox Technologies and later released into the public domain. LOIC is a flooding tool that runs on Microsoft Windows and Mac OS X generating massive amounts of TCP, UDP and HTTP packets. It performs DoS attacks on the target site by flooding the server with non-legitimate packets in order to disrupt the service of a particular host.
On its own, one computer cannot generate enough TCP, UDP or HTTP requests at once to overwhelm most web servers. It takes thousands of computers all pointed at a single site to make a real impact. Letting a central administrator control the process of attacking a selected target makes the process more effective. The LOIC tool gathers random computers and turns them into a network connection that sends an onslaught of fake requests towards a targeted web server.
The Internet Relay Chat (IRC) mode enables the LOIC tool to connect to an IRC channel and receive target and settings via the IRC topic message. This is referred to as the “hive mind” mode. The LOIC “hive mind” feature allows anyone with a computer to point their copy at an IRC server, allowing a third party like Anonymous to take control and aim every computer at a single victim. This effectively lets anyone with a computer participate in an Anonymous attack – regardless of computer literacy or skills.
The LOIC tool has been used in several well-known attack cases against large organizations including attacks by the Anonymous group in Project Chanology, Operation Payback, and OpSony. More than 30,000 downloads of the tool were reported to have occurred between the 8th and 10th of December 2010 when Anonymous organized attacks on the websites of companies and organizations that opposed Wikileaks. LOIC was utilized by many attackers, and caused outage to many of them.
The tool does not spoof the IP but uses the real one, which can reveal the identities of the attackers. Overall, both the attack traffic and the hundreds of volunteers running the software on their PCs were not terribly sophisticated. Most volunteers clearly did not realize the tools do not anonymize their PC source or IP address. In actuality, a large part of the DoS / DDoS threat came more from the inner circle of Anonymous, who are increasingly skilled hackers than the volunteer activists.
If an attack is not routed through an anonymization network, such as Tor, traceable IP address records can be logged by its recipient. This information can be used to identify the individual user participating in DoS / DDoS attacks from logs kept by their ISPs.