DDoS attacks are launched online with “toolkits” specifically designed to cause such attacks. One of the most well-known toolkits, an early version, was named after the Ion cannon, a fictional weapon in a video game franchise known as Command & conquer, the Low Orbit Ion Cannon (LOIC) is an open source network stress testing and DDOS attack application that is used by client machines to voluntarily join botnets.
A distributed denial of service attack refers to a flood of data traffic that a server receives when multiple systems send in data with an aim of flooding its bandwidth or resources. In most cases, this data flood is intended at disrupting the receiving of legitimate traffic by the server, ‘denying service’ to clients sending requests to the server. To an end user, when a DDOS attack seems like a service request delay, where new connections are no longer accepted.
LOIC has been responsible for several DDOS attacks on major websites such as PayPal, MasterCard and Visa, usually carried out by hacking groups such as Anonymous. The LOIC application is available in two versions: the first being the binary version or the original LOIC tool that was initially developed to stress test networks and the web based LOIC or JS LOIC.
The LOIC application, first developed by Praetox Technologies, sends a large sequence of HTTP, UDP or TCP requests to the Target server. LOIC is easy to use even by users who lack basic hacking skills. All that is required is the URL of the target. To control the LOIC remotely, some hackers connect the client launching the attack to an Internet Relay Chart using the IRC protocol.
Using this protocol, the user machine becomes part of a botnet. Botnets are networks of compromised computer systems that are controlled by a malware or virus and that send a flood of traffic to a target system when prompted.
The LOIC DDOS uses three types of attacks against the target machine. These include HTTP, UDP and TCP. These implement the same mechanism of attack which is to open multiple connections to the target machine and send a continuous sequence of messages to the target machine. The LOIC tool continues sending traffic to the targeted server, until the server is overloaded. As soon as the server cannot respond to the requests of legitimate users, it effectively shuts down.
The LOIC DDOS attack tool has been downloaded millions of times because it is simple to use and easy to identify. Network administrators can use a robust firewall to prevent or minimize the attack. Server administrators can then look at the logs to identify the IP sending the traffic and block the IP from the server. Well written firewall rules can form a great filter from LOIC DDOS preventing the attacks from being fully effective.
Some experts claim that filtering UDP and ICMP traffic can also effectively address LOIC attacks. To be effective at the firewall level, rules must be implemented earlier in the network link for instance at the ISP site operator, where the server connects to the backbone via a broadband line.
It is also important to check the broadband line to ensure it does not have limitations. If the packets are delivered through a narrow bandwidth then clogging on this line will still occur before any traffic can get to the firewall and get filtered.
LOIC DDOS attacks can be mitigated using two basic approaches, heuristic or signature control. Signature control uses predetermined patterns to filter matching incoming traffic patterns and eliminate the attack. Although effective for repeat attacks, it becomes an issue when new patterns of attacks are launched, and will continue to be a problem until signatures are updated.
On the other hand heuristic DDOS attack control systems make ‘educated guesses’ of impending attacks and acts to eliminate or minimize their effects.
Normally based on trial and error, these methods provide approximation solutions where speed is required to prevent DDOS attacks. Heuristic signatures can therefore provide a real-time approach to the problem. Other proprietary technologies may include a human-computer interaction by providing a user interface, allowing the system administrator to get alerts when heuristic signatures are detected.