Low Orbit Ion Cannon: Exposed

LOIC

Exposing LOIC

Cut Your Strings, Fearful Puppets

If you look around a bit online for information on LOIC, you’ll see quite a few people talking about the dangers of using this software, but not a lot of hard data. In fact, we were unable to find anyone actually showing what an LOIC attack looks like to the server being targeted, and how easy it is so track that back to the person running it.

With that in mind, we thought the best way to warn would-be LOIC “hackers” was to show them exactly what happens on the server side during such an attack. So a few of the staff here at The Powerbase installed LOIC onto our machines, connected it up to an IRC server under our control, and began launching attacks against a test server we setup. The test machine was running Slackware 13.37 and Apache 2.2.22.

First we tested LOIC’s random mode, the result of which was the following:

LOIC Random

Results of LOIC Random Attack

We then ran another test from a different machine using LOIC’s ability to specify a message to send to the target. Generally this some “l33tspeak” phrase in a real attack:

LOIC Powerbase Message

Results of LOIC Attack with "www.thepowerbase.com" Message

Interpreting The Results

In both tests, the attack in progress is painfully obvious. There is absolutely zero attempt made by LOIC to obfuscate the attack or who is performing it. In both modes, the attack clearly stands out from normal traffic, and shows the attacker’s IP address as well as the exact date and time. With this information it is trivial to track anyone who is using LOIC. As an example, let’s take the two IP addresses that performed this simulated LOIC attack and see what we can find out.

Using the GeoIP service offered by MaxMind, we are able to determine the location of both staffers within a radius of 5 miles:

LOIC Locations

Results of GeoIP Location Search

Here we can see the GeoIP service was able to find the City and State of both “attackers”, as well as their ISP and even area code. We can gather even more information by examining the output of “whois” on the command line:

LOIC Abuse

Finding Abuse Contact Info

This simple command shows us the abuse contact info for the ISP responsible for our attacker’s IP address. With an email address and phone number for the attacker’s ISP, the server administrator simply needs to send them a copy of his server logs to get the ball rolling.

Conclusion

Even the most inept of administrators will be able to quickly tell when their site is under attack from LOIC, and can easily track each individual connection back to the IP address it’s coming from. A slightly more capable administrator would have no trouble taking that same information and using it to block the attack. So the only thing LOIC is very effective at is getting it’s users arrested, and it’s only marginally annoying as an attack.

As a legitimate load testing tool, LOIC has it’s place. But trying to use it as some form of Internet “activism” is clearly foolish.

Don’t do it.


Tom Nardi

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: www.digifail.com .

Related posts

  • Jonas Kulla

    Soo, how about you write your next article about how to distinguish between LOIC users and the million other malware-infested PCs, which are already part of a real botnet?

    Are you saying we should be able to arrest anyone without proper anti-virus?

    • Artimus

      Why would it matter? If your site/server is under DoS attack, you should be collecting data from the logs and sending it to the ISP’s abuse contact so they can start an investigation. A botnet is a botnet, the goal is to shut them down. Doesn’t matter who is pulling the strings.

      Are you saying we should only shut down botnets controlled by Anonymous?

      • Jonas Kulla

        No, what I’m saying is that their way of assuring wasn’t “LOIC isn’t traceable”, it was “if you ever get caught just pretend you didn’t know about anything, so they will just have to assume you’re another botnet victim, and will probably just tell you to install an anti-virus or something”.

  • Nick

    Well, although I don’t think the revolving seats behind anonymous have thought through the potential unwanted side effects of their actions. They are at least TRYING to stop the stupidity of censorship legislation.

    Exactly what are you doing? Are you only complaining about the methods of others whom are getting off their asses to stop censorship that you too would not like?

    Here’s the thing. When those who implement laws do things of detriment to the people they supposedly represent, fighting those laws puts you in direct conflict with them and thus there is risk. It cannot be any other way!

    Those who want censorship for whatever reason, are in positions that they can implement it via legislation. If we all do nothing because it is too risky, censorship will be implemented because there is nothing to stop it.

    So Tom please, as a network engineer who realises the benefits of free access to infinite amounts of information BEFORE you lose it completely, perhaps you could spend your time trying to work out a better way to stop censorship yourself rather then post scare pieces which can only do the opposite.

    This is a game, but a very serious game with very serious consequences should we not provide an opposing force to this madness.

    • Bates

      Is this a joke? What has Anon ever accomplished by DDoS’ing sites other than get their members arrested? And censorship? Really? They attack whoever they want for whatever random reason they have, it’s never been about censorship.

      Things like the Internet Blackout worked because it was a willing statement. This is just childish behavior that helps nobody.

      • http://twitter.com/L_u_x_ David Kennedy

        Between an entire internet blackout – and dramatic attacks and influence of anonymous SOPA as well as other copycat legislation failed. That’s all… and what does that mean? It means – if you understand the vague and near limitless control that these pieces of law offered the government – that you still have a free and open internet… not bad for a 3 second download (although the real payload comes from botnets) – DDoS attacks are just one part of the arsenal – online activism, protests and a tremendous social network system are equal parts.. but there is no dog without the bite.

      • http://twitter.com/L_u_x_ David Kennedy

        And yes. It IS about censorship… though they’ve attacked others in the past that was when anon was finding it’s calling. There is absolutely no doubt that it’s “about censorship” – and it implies you really don’t know the group if you say it doesn’t.

      • http://twitter.com/L_u_x_ David Kennedy

        and lastly…. there would have been no internet blackout without anonymous. It is their activism that brings major players to the forefront to show their support. You can doubt that.. if you’d like.. but it’s true. Occupy Wall Street – also anonymous. There’s an incredible strength to their anonymity and their numbers — and they are just beginning.. they’ve only recently found their place in the world. Stay tuned.

  • Pingback: Low Orbit Ion Cannon Exposed | Linux | Syngu

  • Pingback: Links 6/3/2012: Rejecting a New Mac and Vista 8; Linux 3.3 RC6 is Out | Techrights

  • Pingback: Anonymous Creates Profit Center With Duck Duck Go

  • Pingback: How Wikileaks separates itself from Anonymous? « phr33dom

  • Kryde Steensvig

    to its defense. you mention that people using it is farely safe. then go on to say that they are not. then again mention that in December alone it was downloaded more than 30.000 times.

    you haven’t seen many arrests have you ?

    Lulzsec and most of the people now in jail, was not script kiddies doing DDOS attacks with LOIC

  • http://twitter.com/L_u_x_ David Kennedy

    Oh and one more thing. There’s no attack that isn’t traceable – in the same way that there’s nothing that isn’t hackable. Although an attack that cleans up after itself… and deletes all the logs… is pretty close – but while the attack is happening there’s always a way to find the source.

  • http://twitter.com/L_u_x_ David Kennedy

    Actually….. I’m still not done. :) Put it this way….. I think it’s perfectly fine that you are warning people about the LOIC being traceable… but also have one question — would you feel alright with griping about Anonymous on your website? :D The answer to that question admits their strength. They can bring down the FBI website.. Mastercard, Visa.. invade entire databases and drop them to the public for all to see – crack your twitter, facebook, all your emails and eavesdrop in your private chat channels (which they did for a private conference between FBI, CIA and European intelligence groups) If they can’t hack it quickly – they’ll social engineer the info out of you like candy from a baby… I don’t doubt them… I’ve seen their work. So.. simply put – maybe it’s a risk for the individual – but anonymous has proven their strength.. and aimed at the right target I’m glad they take the risk. Many disagree.. but what some see as anarchist low-lifes.. I see as the good guys..

  • http://www.facebook.com/people/Britt-Fox/1564296669 Britt Fox

    Nothing from any of the three branches of the United States government gives me hope in regards to freedom of speech or personal rights, much less privacy…Anonymous does.

    This is the future of war. Waged with a keyboard and an Ideal. Even if it’s taken awhile to fully develop that ideal. It’s always been true that heroes come from the unlikeliest of places, and never intended or wanted to be one.
    It’s ‘We The People’ on a global scale. How can that be bad?

    • Freedom

      So you think that Anonumous protects people’s freedom of speech…by shutting down other people’s websites and REMOVING their ability to express themselves?
      Silencing the people you don’t agree with isn’t freedom of speech, it’s the exact oposite.

Top