Translate page Now !!

Tuesday 19 March 2013

LEARN about HOIC

HOIC DDoS Analysis and Detection

in a previous blog post, we provided details of a DDoS attack tool called LOIC (Low Orbit Ion Canon) used by Anonymous in supports of denial of service attacks over the past year.  Attackers are constantly changing their tactics and tools in response to defender's actions.  Recently, the SANS Internet Storm Center (ISC) also highlighted a javascript verion of LOIC that, while generating the same attack traffic as our previous analysis showed, actually executed the attacks without the user "initiating" the attacks by pressing any buttons.

SpiderLabs has identified a new DDoS attack tool in circulation called HOIC (High Orbit Ion Canon).


While it seems that most of the dowload links have been remove by law enforcement agencies, we were able to obtain a copy and have conduct dynamic analysis on it.  Here are our findings.

HOIC Analysis

HOIC is an Windows executable file.  Once started, you will be presented with the following GUI screen:


If the attacker clicks on the + sign under TARGETS they get another pop-up box where you can specify target data.


The attacker can then specify the following Target data:
  • URL - is the target website to attack
  • Power -> sets the request velocity.  Initial testing shows the following:
    • Low = ~2 requests/sec for each THREAD defined on the main GUI
    • Medium = ~4 requests/sec for each THREAD defined on the main GUI
    • High - ~8 requests/sec for each THREAD defined on the main GUI
  • Booster - are config scripts that define the dynamic request attributes
After the attacker clicks on the Add button, they are taken back to the main screen.


The attacker can then adjust the THREADS number if desired to further increase the strength of the attack.  When they are ready to lauch the attack, they click on the "FIRE TEH LAZER!" button.  
 With the default settings shown above, the HTTP requests look like this: 


GET / HTTP/1.0
Accept: */*
Accept-Language: en
Host: www.hoic_target_site.com
If the target web server was Apache, example access_log entries would look like this:
72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "




Monday 18 March 2013

Learn About LOIC



 

 

 

 

 

  

FAQ

  • Is LOIC infected with a virus? NO, your AV gives a false positive. Disable your AV. The source code is included in the download to prove this.
  • Will I get caught/arrested for using it? Chances are next to zero. Just blame you have a virus, or simply deny any knowledge of it.
  • Can I use a PROXY? NO, you will just attack the proxy. But a VPN is OK.
  • LOIC cant connect; Turn off MSE / AV and/or your Firewall. Still no go; On IRC, type /map and choose a different server.
  • Requests stuck? Target is down, KEEP FIRING TO KEEP IT DOWN
  • Who/What is the target; Set LOIC on HIVEMIND mode or see the topic in main IRC channel.
  • What settings should I use? Join the HIVEMIND or leave it at default w/ TCP. Protip: Dont go over 100 threads.
  • What is (D)DOS?
  • What is a botnet?
  • How do I get a botnet? No.


IRC FAQ

Rules:

  • DO NOT PM OPs!
  • READ the TOPIC in the channels. Scroll up!!!
  • Stay on topic!
Type /msg nickserv help to register to talk.
See link above for any other questions.

To get on IRC:

We highly recommend using SSL if possible to make it harder for someone to sniff out your password.
Simply install OpenSSL (anywhere on your HDD) and change the port on mIRC to “+6697” (without quotes) [how-to here]. Other clients might not use the ‘+’ sign for SSL.
GET THE ANONOPS MIRC CLIENT (windows) HERE(updated 18 dec).
It will automatically connect you to IRC and join the channels. It also hides join/quits.
  • Unzip it to your desktop
  • Start with the mIRC shortcut
  • Choose a name and click OK
Other Cients: Nix xChat / Mac colloquy
Channel List (click to join w/ client or type /join #channel):
Type /list on IRC for full list of channels.