Cut Your Strings, Fearful Puppets
If you look around a bit online for information on LOIC, you’ll see quite a few people talking about the dangers of using this software, but not a lot of hard data. In fact, we were unable to find anyone actually showing what an LOIC attack looks like to the server being targeted, and how easy it is so track that back to the person running it.
With that in mind, we thought the best way to warn would-be LOIC “hackers” was to show them exactly what happens on the server side during such an attack. So a few of the staff here at The Powerbase installed LOIC onto our machines, connected it up to an IRC server under our control, and began launching attacks against a test server we setup. The test machine was running Slackware 13.37 and Apache 2.2.22.
First we tested LOIC’s random mode, the result of which was the following:
We then ran another test from a different machine using LOIC’s ability to specify a message to send to the target. Generally this some “l33tspeak” phrase in a real attack:
Interpreting The Results
In both tests, the attack in progress is painfully obvious. There is absolutely zero attempt made by LOIC to obfuscate the attack or who is performing it. In both modes, the attack clearly stands out from normal traffic, and shows the attacker’s IP address as well as the exact date and time. With this information it is trivial to track anyone who is using LOIC. As an example, let’s take the two IP addresses that performed this simulated LOIC attack and see what we can find out.
Using the GeoIP service offered by MaxMind, we are able to determine the location of both staffers within a radius of 5 miles:
Here we can see the GeoIP service was able to find the City and State of both “attackers”, as well as their ISP and even area code. We can gather even more information by examining the output of “whois” on the command line:
This simple command shows us the abuse contact info for the ISP responsible for our attacker’s IP address. With an email address and phone number for the attacker’s ISP, the server administrator simply needs to send them a copy of his server logs to get the ball rolling.
Even the most inept of administrators will be able to quickly tell when their site is under attack from LOIC, and can easily track each individual connection back to the IP address it’s coming from. A slightly more capable administrator would have no trouble taking that same information and using it to block the attack. So the only thing LOIC is very effective at is getting it’s users arrested, and it’s only marginally annoying as an attack.
As a legitimate load testing tool, LOIC has it’s place. But trying to use it as some form of Internet “activism” is clearly foolish.