HOIC DDoS Analysis and Detection
in a previous blog post, we provided details of a DDoS attack tool called LOIC (Low Orbit Ion Canon) used by Anonymous in supports of denial of service attacks over the past year. Attackers are constantly changing their tactics and tools in response to defender's actions. Recently, the SANS Internet Storm Center (ISC) also highlighted a javascript verion of LOIC that, while generating the same attack traffic as our previous analysis showed, actually executed the attacks without the user "initiating" the attacks by pressing any buttons.
SpiderLabs has identified a new DDoS attack tool in circulation called HOIC (High Orbit Ion Canon).
While it seems that most of the dowload links have been remove by law enforcement agencies, we were able to obtain a copy and have conduct dynamic analysis on it. Here are our findings.
HOIC Analysis
HOIC is an Windows executable file. Once started, you will be presented with the following GUI screen:
If the attacker clicks on the + sign under TARGETS they get another pop-up box where you can specify target data.
The attacker can then specify the following Target data:
- URL - is the target website to attack
- Power -> sets the request velocity. Initial testing shows the following:
- Low = ~2 requests/sec for each THREAD defined on the main GUI
- Medium = ~4 requests/sec for each THREAD defined on the main GUI
- High - ~8 requests/sec for each THREAD defined on the main GUI
- Booster - are config scripts that define the dynamic request attributes
The attacker can then adjust the THREADS number if desired to further
increase the strength of the attack. When they are ready to lauch the
attack, they click on the "FIRE TEH LAZER!" button.
With the default
settings shown above, the HTTP requests look like this:
GET / HTTP/1.0 Accept: */* Accept-Language: en Host: www.hoic_target_site.comIf the target web server was Apache, example access_log entries would look like this:
72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "-" "-" 72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "
No comments:
Post a Comment